Open Stack

Hi Grant,

I think this is a great project for OSSG and I¹d definitely like to get
involved.  We¹ll kick it around at the next OSSG meeting this Thursday.

Thanks,
  -Travis




On 8/4/14, 10:42 PM, "openstack-security-request at lists.openstack.org"
<openstack-security-request at lists.openstack.org> wrote:

>Message: 4
>Date: Tue, 5 Aug 2014 12:44:56 +1000
>From: Grant Murphy <gmurphy at redhat.com>
>To: openstack-security at lists.openstack.org
>Subject: [Openstack-security] Why are we still seeing XSS flaws?
>Message-ID: <20140805024455.GA32168 at lappy.bne.redhat.com>
>Content-Type: text/plain; charset="us-ascii"
>
>Hi,
>
>I've been trying to put together some historical information about the
>security vulnerabilities that we are seeing in OpenStack [1]. The one
>thing
>that I've noticed is that we don't seem to be learning from our mistakes.
>
>The particular example that I'd like to call out is XSS.  This is a
>very well known problem with a simple solution. Most template
>frameworks when used correctly will automatically escape input unless
>autoescape is explicitly disabled. So why are we still seeing this class
>of
>bug turn up in 2014?
>
>I'd like to propose that the OSSG does a review of horizon's current
>strategy for mitigating this type of flaw and find a better way forward
>for future releases. Is anybody able to help out with this?