horizon does not directly render the error message from the backend, due to the backend messages are not translatable. So we have low risk this is happening in horizon.
Even if we direct render the backend message, when we render the message on django template, we automatically escape the messages.
horizon does not directly render the error message from the backend, due to the backend messages are not translatable. So we have low risk this is happening in horizon.
Even if we direct render the backend message, when we render the message on django template, we automatically escape the messages.
For example :
https:/ /github. com/openstack/ horizon/ blob/master/ horizon/ templates/ horizon/ _messages. html#L10
{{ messages }} automatically escape the string rendered, unless the string is explicit set as "safe" which don't normally do.
Marking as invalid for horizon.