yahoo-eng-team team mailing list archive

[hanchl <1908233@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

When using make_safe function, it is easy to cause XSS attacks. However, there are a lot of make_safe function uses in the horizon code, such as using the dashboard interface to obtain instance information, using the render function for server-side rendering etc.. Should we consider adding keyword filtering to prevent attacks?
Examples for related code:

File: horizon\horizon\forms\fields.py 
235	        output.append('</select>')
236	        return mark_safe('\n'.join(output))
237	

File: horizon\openstack_dashboard\dashboards\project\instances\tables.py 
1185	                     '</span>').format(help_tooltip, icon_classes)
1186	    return mark_safe(locked_status)
1187

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1908233

Title:
  subprocess_popen_with_shell_equals_true

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  When using make_safe function, it is easy to cause XSS attacks. However, there are a lot of make_safe function uses in the horizon code, such as using the dashboard interface to obtain instance information, using the render function for server-side rendering etc.. Should we consider adding keyword filtering to prevent attacks?
  Examples for related code:

  File: horizon\horizon\forms\fields.py 
  235	        output.append('</select>')
  236	        return mark_safe('\n'.join(output))
  237	

  File: horizon\openstack_dashboard\dashboards\project\instances\tables.py 
  1185	                     '</span>').format(help_tooltip, icon_classes)
  1186	    return mark_safe(locked_status)
  1187

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1908233/+subscriptions