Mercurial > p > roundup > code
diff roundup/cgi/client.py @ 4578:941681fec1b0
issue2550711 Fix XSS vulnerability in @action parameter.
thanks to "om" for reporting.
Also fix issue number of previous change-entry.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Thu, 05 Jan 2012 16:22:27 +0100 |
| parents | 35adb3950a39 |
| children | b21bb66de6ff |
line wrap: on
line diff
--- a/roundup/cgi/client.py Thu Jan 05 15:56:15 2012 +0100 +++ b/roundup/cgi/client.py Thu Jan 05 16:22:27 2012 +0100 @@ -1171,7 +1171,7 @@ if name == action_name: break else: - raise ValueError('No such action "%s"'%action_name) + raise ValueError('No such action "%s"'%cgi.escape(action_name)) return action_klass def _socket_op(self, call, *args, **kwargs):