Mercurial > p > roundup > code

changeset 1656:ee730d990989

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix cross-site-scripting bug
author Richard Jones <richard@users.sourceforge.net>
date Tue, 10 Jun 2003 22:55:30 +0000
parents 0feb34b2de71
children dad5b4b8f035
files roundup/cgi/client.py templates/classic/html/_generic.help.html
diffstat 2 files changed, 14 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/roundup/cgi/client.py	Mon Jun 09 23:51:14 2003 +0000
+++ b/roundup/cgi/client.py	Tue Jun 10 22:55:30 2003 +0000
@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.118 2003-06-09 23:17:23 richard Exp $
+# $Id: client.py,v 1.119 2003-06-10 22:55:30 richard Exp $
 
 __doc__ = """
 WWW request handler (also used in the stand-alone server).
@@ -68,6 +68,13 @@
         description="User may manipulate user Roles through the web")
     security.addPermissionToRole('Admin', p)
 
+def clean_message(match, ok={'a':1,'i':1,'b':1,'br':1}):
+    ''' Strip all non <a>,<i>,<b> and <br> tags from a string
+    '''
+    if ok.has_key(match.group(2)):
+        return match.group(1)
+    return '&lt;%s&gt;'%match.group(2)
+
 class Client:
     ''' Instantiate to handle one CGI request.
 
@@ -341,7 +348,8 @@
         # reopen the database as the correct user
         self.opendb(self.user)
 
-    def determine_context(self, dre=re.compile(r'([^\d]+)(\d+)')):
+    def determine_context(self, dre=re.compile(r'([^\d]+)(\d+)'),
+            mc=re.compile(r'(</?(.*?)>)')):
         ''' Determine the context of this page from the URL:
 
             The URL path after the instance identifier is examined. The path
@@ -389,8 +397,10 @@
                 template_override = self.form[key].value
             elif self.FV_OK_MESSAGE.match(key):
                 ok_message = self.form[key].value
+                ok_message = mc.sub(clean_message, ok_message)
             elif self.FV_ERROR_MESSAGE.match(key):
                 error_message = self.form[key].value
+                error_message = mc.sub(clean_message, error_message)
 
         # determine the classname and possibly nodeid
         path = self.path.split('/')
--- a/templates/classic/html/_generic.help.html	Mon Jun 09 23:51:14 2003 +0000
+++ b/templates/classic/html/_generic.help.html	Tue Jun 10 22:55:30 2003 +0000
@@ -49,10 +49,10 @@
        </tr>
        <tr>
            <th>&nbsp;<b>x</b></th>
-           <th tal:repeat="prop props" tal:content="prop"></th>
+           <th tal:repeat="prop props" tal:content="structure prop"></th>
        </tr>
      </table>
 
  </form>
  </body>
-</html>
\ No newline at end of file
+</html>
Roundup Issue Tracker: http://roundup-tracker.org/