[openstack-dev] [security] Script injection issue

TommyLike Hu tommylikehu at gmail.com
Fri Nov 17 08:22:31 UTC 2017

Hey all,
     Recently when we integrating and testing OpenStack services. We found
there is a potential script injection issue that some of our services
accept the input with special character [1] [2], for instance we can create
an instance or a volume with the name of '<script>script inside</script>'.
One of the possible solutions is add HTML encode/decode support in Horizon,
but it's not guaranteed every OpenStack user is using Horizon. So should we
apply more strict restriction on user's input?
     Also, I found  Google Cloud have a strict and explicit restrction in
their instance insert API document [3].

[1]: Nova:
[2]: Cinder:
[3]: Google Cloud:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171117/f57f38c4/attachment.html>

More information about the OpenStack-dev mailing list