fix XSS vulnerability reported by Moritz Naumann

This commit is contained in:
Jan Dittberner 2009-02-10 21:15:04 +01:00
parent 049848d660
commit 9234d81ed7
2 changed files with 25 additions and 18 deletions

View file

@ -27,6 +27,7 @@ available to Controllers. This module is available to both as 'h'.
"""
from webhelpers import *
from webhelpers.html.tags import *
from webhelpers.html.builder import escape
from webhelpers.text import *
from webhelpers.textile import *
from routes.util import *

View file

@ -36,10 +36,11 @@ ${h.form(h.url_for(action='urllist'), method='get')}
<label for="email">${_('Email address:')}
% if 'email' in c.messages['errors']:
<br />
<span class="errormsg">${c.messages['errors']['email']}</span>
<span class="errormsg">${c.messages['errors']['email'] | h}</span>
% endif
</label><br />
${h.text('email', request.params.get('email', None), id='email')}<br />
${h.text('email',
h.escape(request.params.get('email', None), True), id='email')}<br />
</div>
<div id="namefield" \
% if 'name' in c.messages['errors']:
@ -49,20 +50,22 @@ ${h.form(h.url_for(action='urllist'), method='get')}
<label for="name">${_('Name:')}
% if 'name' in c.messages['errors']:
<br />
<span class="errormsg">${c.messages['errors']['name']}</span>
<span class="errormsg">${c.messages['errors']['name'] | h}</span>
% endif
</label><br />
${h.text('name', request.params.get('name', None), id='name')}<br />
${h.text('name',
h.escape(request.params.get('name', None)), id='name')}<br />
</div>
<div id="gpgfpfield" class="hidden">
<label for="gpgfp">${_('GPG fingerprint:')}
% if 'gpgfp' in c.messages['errors']:
<br />
<span class="errormsg">${c.messages['errors']['gpgfp']}</span>
<span class="errormsg">${c.messages['errors']['gpgfp'] | h}</span>
% endif
</label><br />
${h.text('gpgfp', request.params.get('gpgfp', None),
id='gpgfp', readonly='readonly')}<br />
${h.text('gpgfp',
h.escape(request.params.get('gpgfp', None)),
id='gpgfp', readonly='readonly')}<br />
</div>
<div id="usernamefield" \
% if 'username' in c.messages['errors']:
@ -72,25 +75,27 @@ ${h.form(h.url_for(action='urllist'), method='get')}
<label for="username">${_('Debian user name:')}
% if 'username' in c.messages['errors']:
<br />
<span class="errormsg">${c.messages['errors']['username']}</span>
<span class="errormsg">${c.messages['errors']['username'] | h}</span>
% endif
</label><br />
${h.text('username', request.params.get('username', None),
id='username')}<br />
${h.text('username',
h.escape(request.params.get('username', None)),
id='username')}<br />
</div>
<div id="nonddemailfield" \
% if 'nonddemail' in c.messages['errors']:
class="witherrors" \
% endif
>
<label for="nonddemail">${_('Non DD email address:')}
<label for="nonddemail">${_('Non DD email address:') | h}
% if 'nonddemail' in c.messages['errors']:
<br />
<span class="errormsg">${c.messages['errors']['nonddemail']}</span>
<span class="errormsg">${c.messages['errors']['nonddemail'] | h}</span>
% endif
</label><br />
${h.text('nonddemail', request.params.get('nonddemail', None),
id='nonddemail')}<br />
${h.text('nonddemail',
h.escape(request.params.get('nonddemail', None)),
id='nonddemail')}<br />
</div>
<div id="aliothusernamefield" \
% if 'aliothusername' in c.messages['errors']:
@ -101,17 +106,18 @@ ${h.form(h.url_for(action='urllist'), method='get')}
% if 'aliothusername' in c.messages['errors']:
<br />
<span
class="errormsg">${c.messages['errors']['aliothusername']}</span>
class="errormsg">${c.messages['errors']['aliothusername'] | h}</span>
% endif
</label><br />
${h.text('aliothusername', request.params.get('username', None),
id='aliothusername')}<br />
${h.text('aliothusername',
h.escape(request.params.get('username', None)),
id='aliothusername')}<br />
</div>
<div id="modefield">
<label for="mode_html">${_('Output format:')}
% if 'mode' in c.messages['errors']:
<br />
<span class="errormsg">${c.messages['errors']['mode']}</span>
<span class="errormsg">${c.messages['errors']['mode'] | h}</span>
% endif
</label><br />
${_('HTML')}&#160;${h.radio('mode', 'html',