XSS is hard to test for automatically due to logically flows in the application not being easily discoverable. Also it kind of requires functional testing. But if you can write the test infra would probably merge the code. On Mon, Aug 4, 2014 at 10:44 PM, Grant Murphy <gmurphy at redhat.com> wrote: > Hi, > > I've been trying to put together some historical information about the > security vulnerabilities that we are seeing in OpenStack [1]. The one thing > that I've noticed is that we don't seem to be learning from our mistakes. > > The particular example that I'd like to call out is XSS. This is a > very well known problem with a simple solution. Most template > frameworks when used correctly will automatically escape input unless > autoescape is explicitly disabled. So why are we still seeing this class of > bug turn up in 2014? > > I'd like to propose that the OSSG does a review of horizon's current > strategy for mitigating this type of flaw and find a better way forward > for future releases. Is anybody able to help out with this? > > [1] http://openstack-security.info (#wip) > > -- > Grant > > > _______________________________________________ > Openstack-security mailing list > Openstack-security at lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140805/a8479e82/attachment.html>