User emails in the Users and Groups panel are being passed through the
urlize filter to transform them into clickable links. However, urlize
expects input to be already escaped and safe. We should make sure to
escape the strings first as email addresses are not validated and can
contain any type of string.
Closes-Bug: #1320235
* Ensure network names are properly escaped in the Launch Instance menu
Closes-Bug: #1322197
* Escape the URLs generated for the Horizon tables
When generating the Horizon tables, there was an assumption that only
the anchor text needed to be escaped. However some URLs are generated
based on user-provided data and should be escaped as well.
* Use 'reverse' to generate the Resource URLs in the stacks tables
Reviewed: https:/ /review. openstack. org/105476 /git.openstack. org/cgit/ openstack/ horizon/ commit/ ?id=de4466d88b8 16437fb29eff5ab 23b9b964cd3985
Committed: https:/
Submitter: Jenkins
Branch: master
commit de4466d88b81643 7fb29eff5ab23b9 b964cd3985
Author: Julie Pichon <email address hidden>
Date: Thu May 22 16:45:03 2014 +0100
Fix multiple Cross-Site Scripting (XSS) vulnerabilities.
* Ensure user emails are properly escaped
User emails in the Users and Groups panel are being passed through the
urlize filter to transform them into clickable links. However, urlize
expects input to be already escaped and safe. We should make sure to
escape the strings first as email addresses are not validated and can
contain any type of string.
Closes-Bug: #1320235
* Ensure network names are properly escaped in the Launch Instance menu
Closes-Bug: #1322197
* Escape the URLs generated for the Horizon tables
When generating the Horizon tables, there was an assumption that only
the anchor text needed to be escaped. However some URLs are generated
based on user-provided data and should be escaped as well.
* Use 'reverse' to generate the Resource URLs in the stacks tables
Closes-Bug: #1308727
Change-Id: Ic8a92e69f66c2d 265a802f350e30f 091181aa42e