Adding [api] to make sure the API (SIG?) sees this too On Fri, Nov 17, 2017 at 3:22 AM, TommyLike Hu <tommylikehu at gmail.com> wrote: > Hey all, > Recently when we integrating and testing OpenStack services. We found > there is a potential script injection issue that some of our services accept > the input with special character [1] [2], for instance we can create an > instance or a volume with the name of '<script>script inside</script>'. One > of the possible solutions is add HTML encode/decode support in Horizon, but > it's not guaranteed every OpenStack user is using Horizon. So should we > apply more strict restriction on user's input? > Also, I found Google Cloud have a strict and explicit restrction in > their instance insert API document [3]. > > [1]: Nova: > https://github.com/openstack/nova/blob/master/nova/api/validation/parameter_types.py#L148 > [2]: Cinder: > https://github.com/openstack/cinder/blob/master/cinder/api/openstack/wsgi.py#L1253 > [3]: Google Cloud: > https://cloud.google.com/compute/docs/reference/latest/instances/insert > > Thanks > TommyLike.Hu > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Davanum Srinivas :: https://twitter.com/dims