Public bug reported:
When using make_safe function, it is easy to cause XSS attacks. However, there
are a lot of make_safe function uses in the horizon code, such as using the
dashboard interface to obtain instance information, using the render function
for server-side rendering etc.. Should we consider adding keyword filtering to
prevent attacks?
Examples for related code:
File: horizon\horizon\forms\fields.py
235 output.append('</select>')
236 return mark_safe('\n'.join(output))
237
File: horizon\openstack_dashboard\dashboards\project\instances\tables.py
1185 '</span>').format(help_tooltip, icon_classes)
1186 return mark_safe(locked_status)
1187
** Affects: horizon
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1908233
Title:
subprocess_popen_with_shell_equals_true
Status in OpenStack Dashboard (Horizon):
New
Bug description:
When using make_safe function, it is easy to cause XSS attacks. However,
there are a lot of make_safe function uses in the horizon code, such as using
the dashboard interface to obtain instance information, using the render
function for server-side rendering etc.. Should we consider adding keyword
filtering to prevent attacks?
Examples for related code:
File: horizon\horizon\forms\fields.py
235 output.append('</select>')
236 return mark_safe('\n'.join(output))
237
File: horizon\openstack_dashboard\dashboards\project\instances\tables.py
1185 '</span>').format(help_tooltip, icon_classes)
1186 return mark_safe(locked_status)
1187
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1908233/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
