When creating an organization or location, if the name contains HTML then the second step of the wizard (/organizations/id/step2) will render the HTML.

This occurs in the alert box stating that "Assigning hosts to ... will also update ... to include all the resources that the selected hosts are currently using."

This may permit a stored XSS attack if an organization with HTML in its name was added, then a user was directed to the specific URL of the wizard. However there are no direct links back to the wizard, so ordinarily this would only affect the user who created the org/location.

Affects Foreman 1.1 and higher.

Reported by Sanket Jagtap to foreman-security@googlegroups.com.