XSS in HTML report output
Bug #1612988 reported by
Travis McPeak
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Bandit |
Fix Released
|
Undecided
|
Unassigned | ||
| OpenStack Security Notes |
Fix Released
|
Undecided
|
Tim Kelsey | ||
Bug Description
The following Python code snippet will cause script execution when a HTML report is generated and viewed:
import subprocess
subprocess.
This is because the HTML formatter is failing to HTML escape the code snippets. We need to investigate the best standard library (or OpenStack condoned library) to HTML escape and then apply that to the issue text.
Revision history for this message
| Travis McPeak (travis-mcpeak) wrote | #1 |
Revision history for this message
| Stanislaw Pitucha (viraptor-gmail) wrote Re: [Bug 1612988] Re: XSS in HTML report output | #2 |
Revision history for this message
| Tim Kelsey (tim-kelsey) wrote | #3 |
| Changed in bandit: | |
| status: | New → Fix Released |
Revision history for this message
| Tim Kelsey (tim-kelsey) wrote | #4 |
Revision history for this message
| Ian Cordasco (icordasc) wrote | #5 |
Revision history for this message
| Tim Kelsey (tim-kelsey) wrote | #6 |
| information type: | Private Security → Public Security |
Revision history for this message
| Tim Kelsey (tim-kelsey) wrote | #7 |
| Changed in ossn: | |
| assignee: | nobody → Tim Kelsey (tim-kelsey) |
| status: | New → In Progress |
Revision history for this message
| Luke Hinds (lhinds) wrote | #8 |
| Changed in ossn: | |
| status: | In Progress → Fix Released |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Change abandoned on bandit (stable/0.17.0) | #9 |
To post a comment you must log in.
Alright guys, what's the best way to HTML escape? We should roll a new release for this ASAP.