Excerpts from Tim Schnell's message of 2013-11-27 09:16:24 -0800: > > On 11/27/13 10:09 AM, "Zane Bitter" <zbit...@redhat.com> wrote: > > >On 26/11/13 22:24, Tim Schnell wrote: > >> I propose adding an additional field to the parameter definition: > >> > >> Parameters: > >> <parameter name>: > >> description: This is the name of a nova key pair that will be > >> used to > >> ssh to the compute instance. > >> help: To learn more about nova key pairs click on this <a > >> href="/some/url/">help article</a>. > > > >(Side note: you're seriously going to let users stick HTML in the > >template and then have the dashboard display it? Yikes.) > > FWIW, I said the exact same thing to Keith Bray and his answer was, "why > not?" >
Because it is a cross site scripting problem. You are now allowing users to publish HTML as your site. If you can guarantee that users will only ever be shown their own template help, then it is o-k. But that seems like an unlikely guarantee. Just use markdown, it has become the standard for these things. > The UI is already making determinations about what HTML to generate based > on the template. For example, the parameter label to display just > unslugifies the parameter key. This is a somewhat tangential discussion > though, and I do have reservations about it. Maybe Keith can jump in and > defend this better. > Generating HTML is not displaying user input as HTML. There is a rather large difference. _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
