fix gui editor formatter XSS issues
authorThomas Waldmann <tw AT waldmann-edv DOT de>
Tue, 28 Aug 2007 14:48:30 +0200
changeset 844d0152eeb4499
parent 843 9880e04b1be2
child 845 4a7de0173734
child 846 4ede07e792dd
fix gui editor formatter XSS issues
MoinMoin/formatter/text_gedit.py
docs/CHANGES
     1.1 --- a/MoinMoin/formatter/text_gedit.py	Mon Jul 30 17:52:20 2007 +0200
     1.2 +++ b/MoinMoin/formatter/text_gedit.py	Tue Aug 28 14:48:30 2007 +0200
     1.3 @@ -58,6 +58,8 @@
     1.4          return self.url(1, href, title=title, do_escape=1, css=html_class) # interwiki links with pages with umlauts
     1.5  
     1.6      def attachment_inlined(self, url, text, **kw):
     1.7 +        url = wikiutil.escape(url)
     1.8 +        text = wikiutil.escape(text)
     1.9          if url == text:
    1.10              return '<span style="background-color:#ffff11">inline:%s</span>' % url
    1.11          else:
    1.12 @@ -98,7 +100,7 @@
    1.13              result =  "[[%s(%s)]]" % (name, args)    
    1.14          else:
    1.15              result = "[[%s]]" % name
    1.16 -        return '<span style="background-color:#ffff11">%s</span>' % result
    1.17 +        return '<span style="background-color:#ffff11">%s</span>' % wikiutil.escape(result)
    1.18  
    1.19      def processor(self, processor_name, lines, is_parser=0):
    1.20          """ processor_name MUST be valid!
     2.1 --- a/docs/CHANGES	Mon Jul 30 17:52:20 2007 +0200
     2.2 +++ b/docs/CHANGES	Tue Aug 28 14:48:30 2007 +0200
     2.3 @@ -33,6 +33,7 @@
     2.4      * AttachFile overwrite mode (introduced in 1.5.7) did not check delete
     2.5        rights, but only write rights. Now it checks that the user has write AND
     2.6        delete rights before overwriting a file.
     2.7 +    * Fixed potential XSS issues related to feeding of gui editor.
     2.8  
     2.9  Version 1.5.8:
    2.10    New features: