I can confirm that Horizon is vulnerable to this exploit, since Django is involved in generating all top-level HTML, and that will always include templating in user-supplied data which is not sanitised for angularjs safety.
To reproduce, create a new Image with the Description set to:
Even though you receive an error, the value is templated back into the form by Django to be returned to the user, and the alert will pop up. A few times.
I can confirm that Horizon is vulnerable to this exploit, since Django is involved in generating all top-level HTML, and that will always include templating in user-supplied data which is not sanitised for angularjs safety.
To reproduce, create a new Image with the Description set to:
{$ .constructor. prototype. charAt= [].join; "x=alert( 1)")+""
"a"
$eval(
$}
Even though you receive an error, the value is templated back into the form by Django to be returned to the user, and the alert will pop up. A few times.