yahoo-eng-team team mailing list archive

[OpenStack Infra <1567673@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/329998
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=62b4e6f30a7ae7961805abdffdb3c7ae5c2b676a
Submitter: Jenkins
Branch:    master

commit 62b4e6f30a7ae7961805abdffdb3c7ae5c2b676a
Author: Richard Jones <r1chardj0n3s@xxxxxxxxx>
Date:   Tue May 3 15:51:49 2016 +1000

    Escape angularjs templating in unsafe HTML
    
    This code extends the unsafe (typically user-supplied) HTML escape
    built into Django to also escape angularjs templating markers. Safe
    HTML will be unaffected.
    
    Closes-bug: 1567673
    Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1567673

Title:
  [OSSA-2016-010] Possible client side template injection in horizon
  (CVE-2016-4428)

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Security Advisory:
  Fix Committed

Bug description:
  I'm working through my groups process to deploy a new web app so that
  we can provide openstack in our production environment. Part of that
  process is having an authenticated security scan done by Acunetix.

  I've attached a screenshot of the report for the alert received during
  the scan.

  Unfortunately I'm not a dev, so I'm not sure if this is a false alarm
  or not.

  Quick research found the following link which talks about the issue in
  general: http://blog.portswigger.net/2016/01/xss-without-html-client-
  side-template.html

  Any input would be greatly appreciated.

  Thanks!
  Brandon

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1567673/+subscriptions