Comment 7 for bug 1567673

I can confirm that Horizon is vulnerable to this exploit, since Django is involved in generating all top-level HTML, and that will always include templating in user-supplied data which is not sanitised for angularjs safety.

To reproduce, create a new Image with the Description set to:

 {$
    "a".constructor.prototype.charAt=[].join;
    $eval("x=alert(1)")+""
 $}

Even though you receive an error, the value is templated back into the form by Django to be returned to the user, and the alert will pop up. A few times.