Reviewed: https://review.openstack.org/329998 Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=62b4e6f30a7ae7961805abdffdb3c7ae5c2b676a Submitter: Jenkins Branch: master
commit 62b4e6f30a7ae7961805abdffdb3c7ae5c2b676a Author: Richard Jones <[email protected]> Date: Tue May 3 15:51:49 2016 +1000 Escape angularjs templating in unsafe HTML This code extends the unsafe (typically user-supplied) HTML escape built into Django to also escape angularjs templating markers. Safe HTML will be unaffected. Closes-bug: 1567673 Change-Id: I0cbebfd0f814bdf1bf8c06833abf33cc2d4748e7 ** Changed in: horizon Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1567673 Title: [OSSA-2016-010] Possible client side template injection in horizon (CVE-2016-4428) Status in OpenStack Dashboard (Horizon): Fix Released Status in OpenStack Security Advisory: Fix Committed Bug description: I'm working through my groups process to deploy a new web app so that we can provide openstack in our production environment. Part of that process is having an authenticated security scan done by Acunetix. I've attached a screenshot of the report for the alert received during the scan. Unfortunately I'm not a dev, so I'm not sure if this is a false alarm or not. Quick research found the following link which talks about the issue in general: http://blog.portswigger.net/2016/01/xss-without-html-client- side-template.html Any input would be greatly appreciated. Thanks! Brandon To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1567673/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
