Mercurial > p > roundup > code
view website/www/code.txt @ 4880:ca692423e401
Different approach to fix XSS in issue2550817
Encapsulate the error/ok message append method as add_ok_message and
add_error_message. The new approach escapes the messages when appending
-- at a point in the code where we still know where the message comes
from. Escaping is the default but can bei turned off. This also fixes
issue2550836 where certain messages may contain links.
Another advantage of the new fix is that users don't need to change
installed trackers and are secure by default.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Mon, 31 Mar 2014 18:19:23 +0200 |
| parents | b77ef61a844e |
| children | 98344ba5e157 |
line wrap: on
line source
Code ==== Changelog ---------- The changelog is available as `CHANGES.txt in the SCM repository <https://sourceforge.net/p/roundup/code/ci/tip/tree/CHANGES.txt>`_. Browse ------ `Browse the repository <https://sourceforge.net/p/roundup/code/>`_. Read-only Access ---------------- Read-only repository access is provided through :: hg clone http://hg.code.sf.net/p/roundup/code roundup-code The URL for the webinterface works, too, but you will see messages about redirects to the URL shown here. Read-write Access ----------------- The read/write access uses your SourceForge.net ssh password or ssh key to authorize your access. (See `SF's site documentation on Mercurial access <https://sourceforge.net/p/forge/documentation/Mercurial/>`_) :: hg clone ssh://USERNAME@hg.code.sf.net/p/roundup/code roundup-code Of course a roundup developer must have granted you write access first - ask for it on the roundup-devel list.