On 2017-11-17 08:22:31 +0000 (+0000), TommyLike Hu wrote: > Recently when we integrating and testing OpenStack services. We > found there is a potential script injection issue that some of our > services accept the input with special character [1] [2], for > instance we can create an instance or a volume with the name of > '<script>script inside</script>'. One of the possible solutions is > add HTML encode/decode support in Horizon, but it's not guaranteed > every OpenStack user is using Horizon. So should we apply more > strict restriction on user's input?
Just my opinion, but I think its up to frontends to know what strings are safe to present. Web-based interfaces are not the only possible place those strings may end up, and if we consider it the API's responsibility to strip out every possible sequence that might cause trouble for every kind of frontend or consuming application then we'll eventually be left accepting only ASCII alphanumerics. > Also, I found Google Cloud have a strict and explicit restrction in > their instance insert API document [3]. [...] To my knowledge, Google Cloud is proprietary software and can afford to make decisions tightly coupling the security of their Web frontend to their APIs. OpenStack can't easily make the same sorts of assumptions. -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
