fix XSS vulnerability reported by Moritz Naumann

This commit is contained in:
Jan Dittberner 2009-02-10 21:15:04 +01:00
parent 049848d660
commit 9234d81ed7
2 changed files with 25 additions and 18 deletions

View file

@ -27,6 +27,7 @@ available to Controllers. This module is available to both as 'h'.
""" """
from webhelpers import * from webhelpers import *
from webhelpers.html.tags import * from webhelpers.html.tags import *
from webhelpers.html.builder import escape
from webhelpers.text import * from webhelpers.text import *
from webhelpers.textile import * from webhelpers.textile import *
from routes.util import * from routes.util import *

View file

@ -36,10 +36,11 @@ ${h.form(h.url_for(action='urllist'), method='get')}
<label for="email">${_('Email address:')} <label for="email">${_('Email address:')}
% if 'email' in c.messages['errors']: % if 'email' in c.messages['errors']:
<br /> <br />
<span class="errormsg">${c.messages['errors']['email']}</span> <span class="errormsg">${c.messages['errors']['email'] | h}</span>
% endif % endif
</label><br /> </label><br />
${h.text('email', request.params.get('email', None), id='email')}<br /> ${h.text('email',
h.escape(request.params.get('email', None), True), id='email')}<br />
</div> </div>
<div id="namefield" \ <div id="namefield" \
% if 'name' in c.messages['errors']: % if 'name' in c.messages['errors']:
@ -49,19 +50,21 @@ ${h.form(h.url_for(action='urllist'), method='get')}
<label for="name">${_('Name:')} <label for="name">${_('Name:')}
% if 'name' in c.messages['errors']: % if 'name' in c.messages['errors']:
<br /> <br />
<span class="errormsg">${c.messages['errors']['name']}</span> <span class="errormsg">${c.messages['errors']['name'] | h}</span>
% endif % endif
</label><br /> </label><br />
${h.text('name', request.params.get('name', None), id='name')}<br /> ${h.text('name',
h.escape(request.params.get('name', None)), id='name')}<br />
</div> </div>
<div id="gpgfpfield" class="hidden"> <div id="gpgfpfield" class="hidden">
<label for="gpgfp">${_('GPG fingerprint:')} <label for="gpgfp">${_('GPG fingerprint:')}
% if 'gpgfp' in c.messages['errors']: % if 'gpgfp' in c.messages['errors']:
<br /> <br />
<span class="errormsg">${c.messages['errors']['gpgfp']}</span> <span class="errormsg">${c.messages['errors']['gpgfp'] | h}</span>
% endif % endif
</label><br /> </label><br />
${h.text('gpgfp', request.params.get('gpgfp', None), ${h.text('gpgfp',
h.escape(request.params.get('gpgfp', None)),
id='gpgfp', readonly='readonly')}<br /> id='gpgfp', readonly='readonly')}<br />
</div> </div>
<div id="usernamefield" \ <div id="usernamefield" \
@ -72,10 +75,11 @@ ${h.form(h.url_for(action='urllist'), method='get')}
<label for="username">${_('Debian user name:')} <label for="username">${_('Debian user name:')}
% if 'username' in c.messages['errors']: % if 'username' in c.messages['errors']:
<br /> <br />
<span class="errormsg">${c.messages['errors']['username']}</span> <span class="errormsg">${c.messages['errors']['username'] | h}</span>
% endif % endif
</label><br /> </label><br />
${h.text('username', request.params.get('username', None), ${h.text('username',
h.escape(request.params.get('username', None)),
id='username')}<br /> id='username')}<br />
</div> </div>
<div id="nonddemailfield" \ <div id="nonddemailfield" \
@ -83,13 +87,14 @@ ${h.form(h.url_for(action='urllist'), method='get')}
class="witherrors" \ class="witherrors" \
% endif % endif
> >
<label for="nonddemail">${_('Non DD email address:')} <label for="nonddemail">${_('Non DD email address:') | h}
% if 'nonddemail' in c.messages['errors']: % if 'nonddemail' in c.messages['errors']:
<br /> <br />
<span class="errormsg">${c.messages['errors']['nonddemail']}</span> <span class="errormsg">${c.messages['errors']['nonddemail'] | h}</span>
% endif % endif
</label><br /> </label><br />
${h.text('nonddemail', request.params.get('nonddemail', None), ${h.text('nonddemail',
h.escape(request.params.get('nonddemail', None)),
id='nonddemail')}<br /> id='nonddemail')}<br />
</div> </div>
<div id="aliothusernamefield" \ <div id="aliothusernamefield" \
@ -101,17 +106,18 @@ ${h.form(h.url_for(action='urllist'), method='get')}
% if 'aliothusername' in c.messages['errors']: % if 'aliothusername' in c.messages['errors']:
<br /> <br />
<span <span
class="errormsg">${c.messages['errors']['aliothusername']}</span> class="errormsg">${c.messages['errors']['aliothusername'] | h}</span>
% endif % endif
</label><br /> </label><br />
${h.text('aliothusername', request.params.get('username', None), ${h.text('aliothusername',
h.escape(request.params.get('username', None)),
id='aliothusername')}<br /> id='aliothusername')}<br />
</div> </div>
<div id="modefield"> <div id="modefield">
<label for="mode_html">${_('Output format:')} <label for="mode_html">${_('Output format:')}
% if 'mode' in c.messages['errors']: % if 'mode' in c.messages['errors']:
<br /> <br />
<span class="errormsg">${c.messages['errors']['mode']}</span> <span class="errormsg">${c.messages['errors']['mode'] | h}</span>
% endif % endif
</label><br /> </label><br />
${_('HTML')}&#160;${h.radio('mode', 'html', ${_('HTML')}&#160;${h.radio('mode', 'html',