--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/horizon/patches/13-CVE-2015-3219.patch	Tue Jun 09 22:31:26 2015 -0700
@@ -0,0 +1,47 @@
+Errata patch for CVE-2015-3219
+https://bugs.launchpad.net/horizon/+bug/1453074
+
+Fixed upstream and in a future release.
+-------
+From: lin-hua-cheng <[email protected]>
+Date: Mon, 1 Jun 2015 17:55:00 -0700
+Subject: [PATCH] Escape the description param from heat template
+
+The heat template allows user to define custom parameters,
+the fields are then converted to input fields. The description
+param maps to the help_text attribute of the field.
+
+Since the value comes from the user, the value must be escaped
+before rendering.
+
+Change-Id: I79d540a8363b2507c4bccdc0cc38e283962919d2
+Closes-bug: #1453074
+---
+ openstack_dashboard/dashboards/project/stacks/forms.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/openstack_dashboard/dashboards/project/stacks/forms.py 
+b/openstack_dashboard/dashboards/project/stacks/forms.py
+index 5ee01df..ba9e141 100644
+--- a/openstack_dashboard/dashboards/project/stacks/forms.py
++++ b/openstack_dashboard/dashboards/project/stacks/forms.py
+@@ -13,6 +13,7 @@
+ import json
+ import logging
+
++from django.utils import html
+ from django.utils.translation import ugettext_lazy as _
+ from django.views.decorators.debug import sensitive_variables  # noqa
+
+@@ -310,7 +311,7 @@ class CreateStackForm(forms.SelfHandlingForm):
+             field_args = {
+                 'initial': param.get('Default', None),
+                 'label': param.get('Label', param_key),
+-                'help_text': param.get('Description', ''),
++                'help_text': html.escape(param.get('Description', '')),
+                 'required': param.get('Default', None) is None
+             }
+
+-- 
+1.9.1
+