Mercurial > p > roundup > code
view website/issues/html/_generic.calendar.html @ 8365:4ac0bbb3e440
bug(security): CVE-2025-53865 - XSS bug
Extensive fixes in devel, responsive templates known to be
exploitable.
Similar constructs in classic and minimal templates not known
to be exploitable, but changed anyway.
doc/upgrading.txt:
Reformat to 66 characters.
Update with assigned CVE number.
Add section on fixing tal:replace with unsafe data.
Document analysis and assumptions in comment in file.
doc/security.txt:
Update with CVE number.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Fri, 11 Jul 2025 19:30:27 -0400 |
| parents | 28aa76443f58 |
| children |
line wrap: on
line source
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <link rel="stylesheet" type="text/css" href="@@file/style.css" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8;" /> <meta name="robots" content="noindex, nofollow" /> <title tal:content="string:Roundup Calendar"></title> <script language="Javascript" type="text/javascript" tal:attributes="nonce request/client/client_nonce" tal:content="string: // this is the name of the field in the original form that we're working on form = window.opener.document.${request/form/form/value}; field = '${request/form/property/value}';" > </script> </head> <body class="body" tal:content="structure python:utils.html_calendar(request)"> </body> </html>