Mercurial > p > roundup > code
view website/www/code.txt @ 4851:24b8011cd2dc
Fix XSS in issue2550817
Note that the code that triggers that particular bug is no longer in
roundup core. But the change to the templates we suggest is a *lot*
safer as it always escapes the error and ok messages now.
If you are upgrading: you *MUST* read doc/upgrading.txt and do the
necessary changes to your templates, the escaping now happens in the
template and not in the roundup code. So if you don't make the necessary
changes *you are vulnerable*.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Fri, 20 Dec 2013 18:24:10 +0100 |
| parents | b77ef61a844e |
| children | 98344ba5e157 |
line wrap: on
line source
Code ==== Changelog ---------- The changelog is available as `CHANGES.txt in the SCM repository <https://sourceforge.net/p/roundup/code/ci/tip/tree/CHANGES.txt>`_. Browse ------ `Browse the repository <https://sourceforge.net/p/roundup/code/>`_. Read-only Access ---------------- Read-only repository access is provided through :: hg clone http://hg.code.sf.net/p/roundup/code roundup-code The URL for the webinterface works, too, but you will see messages about redirects to the URL shown here. Read-write Access ----------------- The read/write access uses your SourceForge.net ssh password or ssh key to authorize your access. (See `SF's site documentation on Mercurial access <https://sourceforge.net/p/forge/documentation/Mercurial/>`_) :: hg clone ssh://USERNAME@hg.code.sf.net/p/roundup/code roundup-code Of course a roundup developer must have granted you write access first - ask for it on the roundup-devel list.