[Openstack-security] Why are we will seeing XSS flaws?
Grant Murphy
gmurphy at redhat.com
Wed Aug 6 00:08:21 UTC 2014
Hi Travis,
That sounds like a good plan. It's 3am in my timezone when OSSG meetings are
usually held so it is a bit hard for me to make the meetings. I'll try to
be there but If I sleep through my alarm I'll be sure to read the scrollback
& follow up on any action items assigned to me.
- Grant
On Tue, Aug 05, 2014 at 10:24:27AM -0700, Travis McPeak wrote:
> Hi Grant,
>
> I think this is a great project for OSSG and I¹d definitely like to get
> involved. We¹ll kick it around at the next OSSG meeting this Thursday.
>
> Thanks,
> -Travis
>
>
>
>
> On 8/4/14, 10:42 PM, "openstack-security-request at lists.openstack.org"
> <openstack-security-request at lists.openstack.org> wrote:
>
> >Message: 4
> >Date: Tue, 5 Aug 2014 12:44:56 +1000
> >From: Grant Murphy <gmurphy at redhat.com>
> >To: openstack-security at lists.openstack.org
> >Subject: [Openstack-security] Why are we still seeing XSS flaws?
> >Message-ID: <20140805024455.GA32168 at lappy.bne.redhat.com>
> >Content-Type: text/plain; charset="us-ascii"
> >
> >Hi,
> >
> >I've been trying to put together some historical information about the
> >security vulnerabilities that we are seeing in OpenStack [1]. The one
> >thing
> >that I've noticed is that we don't seem to be learning from our mistakes.
> >
> >The particular example that I'd like to call out is XSS. This is a
> >very well known problem with a simple solution. Most template
> >frameworks when used correctly will automatically escape input unless
> >autoescape is explicitly disabled. So why are we still seeing this class
> >of
> >bug turn up in 2014?
> >
> >I'd like to propose that the OSSG does a review of horizon's current
> >strategy for mitigating this type of flaw and find a better way forward
> >for future releases. Is anybody able to help out with this?
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
--
Grant Murphy / Red Hat Product Security
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 213 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140806/e424a50b/attachment.sig>
More information about the Openstack-security
mailing list