OpenStack Dashboard (Horizon)

Potential XSS on mark_safe function

Bug #1908233 reported by hanchl on 2020-12-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	New	Undecided	Unassigned

Bug Description

When using make_safe function, it is easy to cause XSS attacks. However, there are a lot of make_safe function uses in the horizon code, such as using the dashboard interface to obtain instance information, using the render function for server-side rendering etc.. Should we consider adding keyword filtering to prevent attacks?
Examples for related code:

File: horizon\horizon\forms\fields.py
235 output.append('</select>')
236 return mark_safe('\n'.join(output))
237

File: horizon\openstack_dashboard\dashboards\project\instances\tables.py
1185 '</span>').format(help_tooltip, icon_classes)
1186 return mark_safe(locked_status)
1187

hanchl (hanchl) on 2020-12-21

summary:

- subprocess_popen_with_shell_equals_true
+ Potential XSS on mark_safe function

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.