Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 4623:4f9c3858b671
Fix another XSS with the ok- and error message, see issue2550724.
We solve this differently from the proposals in the bug-report by not
allowing *any* html-tags in ok/error messages anymore. Thanks to David
Benjamin for the bug-report and to Ezio Melotti for several proposed
fixes.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Mon, 14 May 2012 14:17:07 +0200 |
| parents | 753a379c0303 |
| children | 09df6e4c6975 |
comparison
equal
deleted
inserted
replaced
| 4622:9d5825bf0b2d | 4623:4f9c3858b671 |
|---|---|
| 10 then you don't need to do anything. If you're upgrading from 0.5.6 to | 10 then you don't need to do anything. If you're upgrading from 0.5.6 to |
| 11 0.6.8 though, you'll need to check the "0.5 to 0.6" and "0.6.x to 0.6.3" | 11 0.6.8 though, you'll need to check the "0.5 to 0.6" and "0.6.x to 0.6.3" |
| 12 steps. | 12 steps. |
| 13 | 13 |
| 14 .. contents:: | 14 .. contents:: |
| 15 | |
| 16 Migrating from 1.4.19 to 1.4.20 | |
| 17 =============================== | |
| 18 | |
| 19 Roundup used to allow certain HTML-Tags in OK- and Error-messages. Since | |
| 20 these messages are passed via the URL (due to roundup redirecting after | |
| 21 an edit), we did have security-issues (see issue2550724). | |
| 22 | |
| 23 If you have customized OK- or Error messages in your | |
| 24 roundup-installation and you're were using features like bold or italic | |
| 25 parts of the message you will have to do without this highlighting and | |
| 26 remove HTML tags from messages. | |
| 27 | |
| 28 If you were using <br> tags for multi-line messages, you now should use | |
| 29 newlines instead, these will be replaced with <br/> during formatting. | |
| 30 | |
| 31 Note that the previous implementation also allowed links inside | |
| 32 messages. Since these links could be set by an attacker, no links in | |
| 33 roundup messages are supported anymore. This does *not* affect the | |
| 34 "clear this message" link in OK-messages as it is generated by the | |
| 35 template and is not part of the OK-message. | |
| 36 | |
| 37 If you have not modified any roundup messages, you need not do anything, | |
| 38 the templates shipped with roundup did not use HTML tags in messages for | |
| 39 highlighting. | |
| 40 | |
| 15 | 41 |
| 16 Migrating from 1.4.17 to 1.4.18 | 42 Migrating from 1.4.17 to 1.4.18 |
| 17 =============================== | 43 =============================== |
| 18 | 44 |
| 19 There was a bug in 1.4.17 where files were unlinked from issues if a | 45 There was a bug in 1.4.17 where files were unlinked from issues if a |