Open Stack

Hi,

I've been trying to put together some historical information about the
security vulnerabilities that we are seeing in OpenStack [1]. The one thing
that I've noticed is that we don't seem to be learning from our mistakes.

The particular example that I'd like to call out is XSS.  This is a
very well known problem with a simple solution. Most template
frameworks when used correctly will automatically escape input unless
autoescape is explicitly disabled. So why are we still seeing this class of
bug turn up in 2014?

I'd like to propose that the OSSG does a review of horizon's current
strategy for mitigating this type of flaw and find a better way forward
for future releases. Is anybody able to help out with this?

[1] http://openstack-security.info  (#wip)

--
Grant

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 213 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140805/d39b0e9c/attachment.sig>