From 28d8f49786d6df297b2574514916fa782e941e09 Mon Sep 17 00:00:00 2001
From: lin-hua-cheng <os.lcheng@gmail.com>
Date: Mon, 1 Jun 2015 17:55:00 -0700
Subject: [PATCH] Escape the description param from heat template

The heat template allows user to define custom parameters,
the fields are then converted to input fields. The description
param maps to the help_text attribute of the field.

Since the value comes from the user, the value must be escaped
before rendering.

Co-Authored-By: Lin Hua Cheng <os.lcheng@gmail.com>
Change-Id: I79d540a8363b2507c4bccdc0cc38e283962919d2
Closes-bug: #1453074
---
 openstack_dashboard/dashboards/project/stacks/forms.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/openstack_dashboard/dashboards/project/stacks/forms.py b/openstack_dashboard/dashboards/project/stacks/forms.py
index 5ee01dfdcf..ba9e141813 100644
--- a/openstack_dashboard/dashboards/project/stacks/forms.py
+++ b/openstack_dashboard/dashboards/project/stacks/forms.py
@@ -13,6 +13,7 @@
 import json
 import logging
 
+from django.utils import html
 from django.utils.translation import ugettext_lazy as _
 from django.views.decorators.debug import sensitive_variables  # noqa
 
@@ -310,7 +311,7 @@ class CreateStackForm(forms.SelfHandlingForm):
             field_args = {
                 'initial': param.get('Default', None),
                 'label': param.get('Label', param_key),
-                'help_text': param.get('Description', ''),
+                'help_text': html.escape(param.get('Description', '')),
                 'required': param.get('Default', None) is None
             }