Mercurial > p > roundup > code
changeset 4380:11d9f3f98897
fix potential XSS hole
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Thu, 01 Jul 2010 01:41:54 +0000 |
| parents | 4cc4ccafc660 |
| children | 6893b5253dac |
| files | roundup/cgi/client.py roundup/cgi/templating.py |
| diffstat | 2 files changed, 4 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/roundup/cgi/client.py Tue Jun 29 07:55:34 2010 +0000 +++ b/roundup/cgi/client.py Thu Jul 01 01:41:54 2010 +0000 @@ -1069,9 +1069,9 @@ result = result.replace('</body>', s) return result except templating.NoTemplate, message: - return '<strong>%s</strong>'%message + return '<strong>%s</strong>'%cgi.escape(str(message)) except templating.Unauthorised, message: - raise Unauthorised(str(message)) + raise Unauthorised(cgi.escape(str(message))) except: # everything else if self.instance.config.WEB_DEBUG:
--- a/roundup/cgi/templating.py Tue Jun 29 07:55:34 2010 +0000 +++ b/roundup/cgi/templating.py Thu Jul 01 01:41:54 2010 +0000 @@ -115,9 +115,9 @@ if os.path.exists(src): return (src, generic) - raise NoTemplate, 'No template file exists for templating "%s" '\ + raise NoTemplate('No template file exists for templating "%s" ' 'with template "%s" (neither "%s" nor "%s")'%(name, view, - filename, generic) + filename, generic)) class Templates: templates = {}