OpenStack Security Advisory

  1. Bug #1308727
  2. Comment #26

Comment 26 for bug 1308727

Revision history for this message
Kieran Spear (kspear) wrote : Re: XSS in Horizon Heat template - resource name

Hi Julie, thanks for the patch.

One further issue we need to consider with this bug in particular is javascript: URLs. If you change the resource name to "javascript:alert(1)" you'll see that this code is still executed. We should probably be using 'reverse' to generate the URL to the resource?