Mercurial > p > roundup > code

view website/issues/html/_generic.calendar.html @ 4851:24b8011cd2dc

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix XSS in issue2550817 Note that the code that triggers that particular bug is no longer in roundup core. But the change to the templates we suggest is a *lot* safer as it always escapes the error and ok messages now. If you are upgrading: you *MUST* read doc/upgrading.txt and do the necessary changes to your templates, the escaping now happens in the template and not in the roundup code. So if you don't make the necessary changes *you are vulnerable*.
author Ralf Schlatterbeck <rsc@runtux.com>
date Fri, 20 Dec 2013 18:24:10 +0100
parents a099ff2ceff3
children 7146b68ac263
line wrap: on
line source

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
 <head>
  <link rel="stylesheet" type="text/css" href="@@file/style.css" />
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8;" />
  <meta name="robots" content="noindex, nofollow" />
  <title tal:content="string:Roundup Calendar"></title>
  <script language="Javascript"
          type="text/javascript"
          tal:content="structure string:
          // this is the name of the field in the original form that we're working on
          form  = window.opener.document.${request/form/form/value};
          field = '${request/form/property/value}';" >
  </script>
 </head>
 <body class="body"
       tal:content="structure python:utils.html_calendar(request)">
 </body>
</html>
Roundup Issue Tracker: http://roundup-tracker.org/