** Changed in: horizon Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1622690
Title: Potential XSS in image create modal or angular table Status in OpenStack Dashboard (Horizon): Fix Released Status in OpenStack Security Advisory: Won't Fix Bug description: The Image Create modal allows you to create an image sending unencoded HTML and JavaScript. This could lead to a potential XSS attack Steps to reproduce: 1. Go to project>images 2. Click on "Create image" 3. In the "Image Name" input enter some HTML code or script code (i.e <h1>This is bad</h1>, <script>alert('This is bad');</script>) 4. Fill in other required fields 5. Click on 'Create Image' Expected Result: The image is created but the name is safely encoded and it's shown in the table as it was written Actual Result: The image name is not encoded an therefore is being rendered as HTML by the browser. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1622690/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp