Mercurial > p > roundup > code

diff roundup/cgi/client.py @ 4380:11d9f3f98897

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix potential XSS hole
author Richard Jones <richard@users.sourceforge.net>
date Thu, 01 Jul 2010 01:41:54 +0000
parents 3fd24c10c2bb
children b0d812e10549
line wrap: on
line diff
--- a/roundup/cgi/client.py	Tue Jun 29 07:55:34 2010 +0000
+++ b/roundup/cgi/client.py	Thu Jul 01 01:41:54 2010 +0000
@@ -1069,9 +1069,9 @@
                 result = result.replace('</body>', s)
             return result
         except templating.NoTemplate, message:
-            return '<strong>%s</strong>'%message
+            return '<strong>%s</strong>'%cgi.escape(str(message))
         except templating.Unauthorised, message:
-            raise Unauthorised(str(message))
+            raise Unauthorised(cgi.escape(str(message)))
         except:
             # everything else
             if self.instance.config.WEB_DEBUG:
Roundup Issue Tracker: http://roundup-tracker.org/