Mercurial > p > roundup > code
diff roundup/cgi/templating.py @ 4577:528fe0a3af24
issue2550711 Fix XSS vulnerability when username contains HTML code.
Thanks to Thomas Arendsen Hein for reporting and patch.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Thu, 05 Jan 2012 15:56:15 +0100 |
| parents | 61cd652da1cd |
| children | 760483ce731e |
line wrap: on
line diff
--- a/roundup/cgi/templating.py Wed Jan 04 19:09:47 2012 +0100 +++ b/roundup/cgi/templating.py Thu Jan 05 15:56:15 2012 +0100 @@ -1141,7 +1141,7 @@ if dre.match(user): user = self._db.user.get(user, 'username') l.append('<tr><td>%s</td><td>%s</td><td>%s</td><td>%s</td></tr>'%( - date_s, user, self._(action), arg_s)) + date_s, cgi.escape(user), self._(action), arg_s)) if comments: l.append(self._( '<tr><td colspan=4><strong>Note:</strong></td></tr>'))