Comment 33 for bug 1308727
Revision history for this message
| Lin Hua Cheng (lin-hua-cheng) wrote Re: XSS in Horizon Heat template - resource name (CVE-2014-3473) | #33 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
@mrunge: I agree with Julie, we should not cleaning the input data as it is inconsistent with the input validation from CLI that may cause confusion.
@jpich: patch looks good except for the hack on the Events and Resources tables.
Can we just inject the stack_id in the events and resources data so that we don't have to parse the links and extracting the stack_id?
Like adding this
https:/
for event in events:
event.stack_id = stack.id
https:/
for resource in resources:
resource.
I think this approach might be better since the code in tabs.py is responsible for the data preparation for the view anyway. And it is more obvious for someone else reading the code what's actually going on.
This approach is also less prone to external issue, because it doesn't have data format dependency of having the links attributes that comes from heat.