Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 4851:24b8011cd2dc
Fix XSS in issue2550817
Note that the code that triggers that particular bug is no longer in
roundup core. But the change to the templates we suggest is a *lot*
safer as it always escapes the error and ok messages now.
If you are upgrading: you *MUST* read doc/upgrading.txt and do the
necessary changes to your templates, the escaping now happens in the
template and not in the roundup code. So if you don't make the necessary
changes *you are vulnerable*.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Fri, 20 Dec 2013 18:24:10 +0100 |
| parents | 23de24f57566 |
| children | ca692423e401 |
comparison
equal
deleted
inserted
replaced
| 4850:6998ad77841e | 4851:24b8011cd2dc |
|---|---|
| 10 then you don't need to do anything. If you're upgrading from 0.5.6 to | 10 then you don't need to do anything. If you're upgrading from 0.5.6 to |
| 11 0.6.8 though, you'll need to check the "0.5 to 0.6" and "0.6.x to 0.6.3" | 11 0.6.8 though, you'll need to check the "0.5 to 0.6" and "0.6.x to 0.6.3" |
| 12 steps. | 12 steps. |
| 13 | 13 |
| 14 .. contents:: | 14 .. contents:: |
| 15 | |
| 16 Migrating from 1.5.0 to 1.5.1 | |
| 17 ============================= | |
| 18 | |
| 19 *Important*: | |
| 20 There was a security bug fixed in the html templates (an XSS | |
| 21 vulnerability). So if you have a running tracker you will have to fix | |
| 22 the file ``html/page.html`` in your tracker directory. You need to | |
| 23 *twice* remove the ``structure`` element in the template and modify the | |
| 24 'tal:content' attribute, you need to replace the section:: | |
| 25 | |
| 26 <td> | |
| 27 <p tal:condition="options/error_message | nothing" class="error-message" | |
| 28 tal:repeat="m options/error_message" | |
| 29 tal:content="structure string:$m <br/ > " /> | |
| 30 <p tal:condition="options/ok_message | nothing" class="ok-message"> | |
| 31 <span tal:repeat="m options/ok_message" | |
| 32 tal:content="structure string:$m <br/ > " /> | |
| 33 <a class="form-small" tal:attributes="href request/current_url" | |
| 34 i18n:translate="">clear this message</a> | |
| 35 </p> | |
| 36 </td> | |
| 37 | |
| 38 with:: | |
| 39 | |
| 40 <td> | |
| 41 <p tal:condition="options/error_message | nothing" class="error-message" | |
| 42 tal:repeat="m options/error_message" tal:content="m" /> | |
| 43 <p tal:condition="options/ok_message | nothing" class="ok-message"> | |
| 44 <span tal:repeat="m options/ok_message" tal:content="m" /> | |
| 45 <a class="form-small" tal:attributes="href request/current_url" | |
| 46 i18n:translate="">clear this message</a> | |
| 47 </p> | |
| 48 </td> | |
| 49 | |
| 50 if you are using the new *jinja2* base templates, we are now iterating | |
| 51 over the error- and ok-messages and creating a paragraph for each | |
| 52 message. In addition ``autoescape`` is turned on for the section (which | |
| 53 is the critical security change). | |
| 54 See ``templates/jinja2/html/layout/page.html`` for details. | |
| 55 | |
| 15 | 56 |
| 16 Migrating from 1.4.20 to 1.4.21 | 57 Migrating from 1.4.20 to 1.4.21 |
| 17 =============================== | 58 =============================== |
| 18 | 59 |
| 19 The ``_generic.calendar.html`` page of the instance has been updated to include | 60 The ``_generic.calendar.html`` page of the instance has been updated to include |