Mercurial > p > roundup > code
diff share/roundup/templates/devel/html/page.html @ 4851:24b8011cd2dc
Fix XSS in issue2550817
Note that the code that triggers that particular bug is no longer in
roundup core. But the change to the templates we suggest is a *lot*
safer as it always escapes the error and ok messages now.
If you are upgrading: you *MUST* read doc/upgrading.txt and do the
necessary changes to your templates, the escaping now happens in the
template and not in the roundup code. So if you don't make the necessary
changes *you are vulnerable*.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Fri, 20 Dec 2013 18:24:10 +0100 |
| parents | 9d5825bf0b2d |
| children | ca692423e401 |
line wrap: on
line diff
--- a/share/roundup/templates/devel/html/page.html Wed Dec 18 09:02:40 2013 +0100 +++ b/share/roundup/templates/devel/html/page.html Fri Dec 20 18:24:10 2013 +0100 @@ -234,11 +234,9 @@ <div class="content"> <h1 id="breadcrumb"><span metal:define-slot="body_title">body title</span></h1> <p tal:condition="options/error_message | nothing" class="error-message" - tal:repeat="m options/error_message" - tal:content="structure string:$m <br/ > " /> + tal:repeat="m options/error_message" tal:content="m" /> <p tal:condition="options/ok_message | nothing" class="ok-message"> - <span tal:repeat="m options/ok_message" - tal:content="structure string:$m <br/ > " /> + <span tal:repeat="m options/ok_message" tal:content="m" /> <a class="form-small" tal:attributes="href request/current_url" i18n:translate="">clear this message</a> </p>