I believe the following code, added to the top of settings.py in Horizon, will blanket fix this issue.
import django.utils.html
def escape(text, existing=django.utils.html.escape):
# replace our angular markup string with a different string
# (just happens to be the Django comment string)
return existing(text).replace('{$', '{%').replace('$}', '%}')
django.utils.html.escape = escape
I have not done a thorough analysis of whether this is further exploitable, though I believe it is not. I am not sure whether it will damage any data in OpenStack (I don't know whether "{$" and "$}" are valid values of data anywhere in OpenStack).
I believe the following code, added to the top of settings.py in Horizon, will blanket fix this issue.
import django.utils.html
def escape(text, existing= django. utils.html. escape) : text).replace( '{$', '{%').replace('$}', '%}')
# replace our angular markup string with a different string
# (just happens to be the Django comment string)
return existing(
django. utils.html. escape = escape
I have not done a thorough analysis of whether this is further exploitable, though I believe it is not. I am not sure whether it will damage any data in OpenStack (I don't know whether "{$" and "$}" are valid values of data anywhere in OpenStack).