Mercurial > p > roundup > code
diff CHANGES.txt @ 4851:24b8011cd2dc
Fix XSS in issue2550817
Note that the code that triggers that particular bug is no longer in
roundup core. But the change to the templates we suggest is a *lot*
safer as it always escapes the error and ok messages now.
If you are upgrading: you *MUST* read doc/upgrading.txt and do the
necessary changes to your templates, the escaping now happens in the
template and not in the roundup code. So if you don't make the necessary
changes *you are vulnerable*.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Fri, 20 Dec 2013 18:24:10 +0100 |
| parents | 6998ad77841e |
| children | df4c1f58c3b8 |
line wrap: on
line diff
--- a/CHANGES.txt Wed Dec 18 09:02:40 2013 +0100 +++ b/CHANGES.txt Fri Dec 20 18:24:10 2013 +0100 @@ -17,7 +17,7 @@ discovery) (Ralf Schlatterbeck) - Pythons cgi form code can return a TypeError, we now guard for this condition. (Ralf Schlatterbeck) -- Small bug-fix in SQL backends: An query (e.g. in a html menu) with a +- Small bug-fix in SQL backends: A query (e.g. in a html menu) with a where-clause that always evaluates to false now will not raise a traceback. (Ralf Schlatterbeck) - Remove Python 2.3 compatibility code for i18n (anatoly techtonik) @@ -46,6 +46,14 @@ - Fix subtle bug when sorting by a Link that contains a Multilink from which we also search for an attribute. In that case the LEFT OUTER JOIN clause was missing in generated SQL. (Ralf Schlatterbeck) +- Fix another XSS issue2550817. Note that the code that triggers that + particular bug is no longer in roundup core. But the change to the + templates we suggest is a *lot* safer as it always escapes the error + and ok messages now. + If you are upgrading: you *MUST* read doc/upgrading.txt and do the + necessary changes to your templates, the escaping now happens in the + template and not in the roundup code. So if you don't make the + necessary changes *you are vulnerable*. (Ralf Schlatterbeck) 2013-07-06: 1.5.0