Mercurial > p > roundup > code
diff roundup/cgi/client.py @ 4623:4f9c3858b671
Fix another XSS with the ok- and error message, see issue2550724.
We solve this differently from the proposals in the bug-report by not
allowing *any* html-tags in ok/error messages anymore. Thanks to David
Benjamin for the bug-report and to Ezio Melotti for several proposed
fixes.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Mon, 14 May 2012 14:17:07 +0200 |
| parents | b21bb66de6ff |
| children | 1ebc5f16aeda |
line wrap: on
line diff
--- a/roundup/cgi/client.py Mon May 14 13:04:20 2012 +0200 +++ b/roundup/cgi/client.py Mon May 14 14:17:07 2012 +0200 @@ -43,19 +43,8 @@ description="User may manipulate user Roles through the web") security.addPermissionToRole('Admin', p) -# used to clean messages passed through CGI variables - HTML-escape any tag -# that isn't <a href="">, <i>, <b> and <br> (including XHTML variants) so -# that people can't pass through nasties like <script>, <iframe>, ... -CLEAN_MESSAGE_RE = r'(<(/?(.*?)(\s*href="[^"]")?\s*/?)>)' -def clean_message(message, mc=re.compile(CLEAN_MESSAGE_RE, re.I)): - return mc.sub(clean_message_callback, message) -def clean_message_callback(match, ok={'a':1,'i':1,'b':1,'br':1}): - """ Strip all non <a>,<i>,<b> and <br> tags from a string - """ - if match.group(3).lower() in ok: - return match.group(1) - return '<%s>'%match.group(2) - +def clean_message(msg): + return cgi.escape (msg).replace ('\n', '<br />\n') error_message = ''"""<html><head><title>An error has occurred</title></head> <body><h1>An error has occurred</h1>