<div dir="ltr">Thanks TommyLike for this bug report. Sounds like Stored XSS [1].<div>Could you please share more details, e.g. branch / release, APIs tested etc.?</div><div><br></div><div>[1] <a href="https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting">https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Nov 17, 2017 at 12:36 PM, Davanum Srinivas <span dir="ltr"><<a href="mailto:davanum@gmail.com" target="_blank">davanum@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Adding [api] to make sure the API (SIG?) sees this too<br>
<div><div class="h5"><br>
On Fri, Nov 17, 2017 at 3:22 AM, TommyLike Hu <<a href="mailto:tommylikehu@gmail.com">tommylikehu@gmail.com</a>> wrote:<br>
> Hey all,<br>
> Recently when we integrating and testing OpenStack services. We found<br>
> there is a potential script injection issue that some of our services accept<br>
> the input with special character [1] [2], for instance we can create an<br>
> instance or a volume with the name of '<script>script inside</script>'. One<br>
> of the possible solutions is add HTML encode/decode support in Horizon, but<br>
> it's not guaranteed every OpenStack user is using Horizon. So should we<br>
> apply more strict restriction on user's input?<br>
> Also, I found Google Cloud have a strict and explicit restrction in<br>
> their instance insert API document [3].<br>
><br>
> [1]: Nova:<br>
> <a href="https://github.com/openstack/nova/blob/master/nova/api/validation/parameter_types.py#L148" rel="noreferrer" target="_blank">https://github.com/openstack/<wbr>nova/blob/master/nova/api/<wbr>validation/parameter_types.py#<wbr>L148</a><br>
> [2]: Cinder:<br>
> <a href="https://github.com/openstack/cinder/blob/master/cinder/api/openstack/wsgi.py#L1253" rel="noreferrer" target="_blank">https://github.com/openstack/<wbr>cinder/blob/master/cinder/api/<wbr>openstack/wsgi.py#L1253</a><br>
> [3]: Google Cloud:<br>
> <a href="https://cloud.google.com/compute/docs/reference/latest/instances/insert" rel="noreferrer" target="_blank">https://cloud.google.com/<wbr>compute/docs/reference/latest/<wbr>instances/insert</a><br>
><br>
> Thanks<br>
> TommyLike.Hu<br>
><br>
><br>
><br>
</div></div>> ______________________________<wbr>______________________________<wbr>______________<br>
> OpenStack Development Mailing List (not for usage questions)<br>
> Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
--<br>
Davanum Srinivas :: <a href="https://twitter.com/dims" rel="noreferrer" target="_blank">https://twitter.com/dims</a><br>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.<wbr>openstack.org?subject:<wbr>unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack-dev</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div style="color:rgb(136,136,136);font-size:12.8000001907349px">Adam Heczko</div><div style="color:rgb(136,136,136);font-size:12.8000001907349px">Security Engineer @ Mirantis Inc.</div></div></div>
</div>