Mercurial > p > roundup > code
diff roundup/cgi/client.py @ 4851:24b8011cd2dc
Fix XSS in issue2550817
Note that the code that triggers that particular bug is no longer in
roundup core. But the change to the templates we suggest is a *lot*
safer as it always escapes the error and ok messages now.
If you are upgrading: you *MUST* read doc/upgrading.txt and do the
necessary changes to your templates, the escaping now happens in the
template and not in the roundup code. So if you don't make the necessary
changes *you are vulnerable*.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Fri, 20 Dec 2013 18:24:10 +0100 |
| parents | bc4144417861 |
| children | ca692423e401 |
line wrap: on
line diff
--- a/roundup/cgi/client.py Wed Dec 18 09:02:40 2013 +0100 +++ b/roundup/cgi/client.py Fri Dec 20 18:24:10 2013 +0100 @@ -49,7 +49,12 @@ security.addPermissionToRole('Admin', p) def clean_message(msg): - return cgi.escape (msg).replace ('\n', '<br />\n') + """ A multi-line message is now split at line boundaries. + The templates will do the right thing to format this message. + Note that we no longer need to escape the message as this is now + taken care of by the template. + """ + return msg.split('\n') error_message = ''"""<html><head><title>An error has occurred</title></head> <body><h1>An error has occurred</h1> @@ -877,9 +882,9 @@ # see if we were passed in a message if ok_message: - self.ok_message.append(ok_message) + self.ok_message.extend(ok_message) if error_message: - self.error_message.append(error_message) + self.error_message.extend(error_message) # determine the classname and possibly nodeid path = self.path.split('/')