** Changed in: horizon
Status: Fix Committed => Fix Released
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
Potential XSS in image create modal or angular table
Status in OpenStack Dashboard (Horizon):
Status in OpenStack Security Advisory:
The Image Create modal allows you to create an image sending unencoded
Steps to reproduce:
1. Go to project>images
2. Click on "Create image"
3. In the "Image Name" input enter some HTML code or script code (i.e
<h1>This is bad</h1>, <script>alert('This is bad');</script>)
4. Fill in other required fields
5. Click on 'Create Image'
The image is created but the name is safely encoded and it's shown in the
table as it was written
The image name is not encoded an therefore is being rendered as HTML by the
To manage notifications about this bug go to:
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : email@example.com
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp