author Thomas Waldmann <tw AT waldmann-edv DOT de>

Wed Jan 23 00:54:59 2008 +0100 (2 years ago)

changeset 856 db212dfc58ef

parent 855 e69a16b6e630

child 857 9108598d9cee

MoinMoin/action/AttachFile.py file | annotate | diff | revisions
docs/CHANGES file | annotate | diff | revisions
     1.1 --- a/MoinMoin/action/AttachFile.py	Sun Jan 20 23:27:48 2008 +0100
     1.2 +++ b/MoinMoin/action/AttachFile.py	Wed Jan 23 00:54:59 2008 +0100
     1.3 @@ -440,7 +440,7 @@
     1.4      'action_name': action_name,
     1.5      'upload_label_file': _('File to upload'),
     1.6      'upload_label_rename': _('Rename to'),
     1.7 -    'rename': request.form.get('rename', [''])[0],
     1.8 +    'rename': wikiutil.escape(request.form.get('rename', [''])[0], 1),
     1.9      'upload_label_overwrite': _('Overwrite existing attachment of same name'),
    1.10      'overwrite_checked': ('', 'checked')[request.form.get('overwrite', ['0'])[0] == '1'],
    1.11      'upload_button': _('Upload'),
    1.12 @@ -543,6 +543,8 @@
    1.13  
    1.14  
    1.15  def upload_form(pagename, request, msg=''):
    1.16 +    if msg:
    1.17 +        msg = wikiutil.escape(msg)
    1.18      _ = request.getText
    1.19  
    1.20      request.http_headers()
    1.21 @@ -734,7 +736,7 @@
    1.22      d = {'action': 'AttachFile',
    1.23           'do': 'attachment_move',
    1.24           'ticket': wikiutil.createTicket(request),
    1.25 -         'pagename': pagename,
    1.26 +         'pagename': wikiutil.escape(pagename, 1),
    1.27           'attachment_name': filename,
    1.28           'move': _('Move'),
    1.29           'cancel': _('Cancel'),
    1.30 @@ -821,13 +823,13 @@
    1.31  
    1.32      if package.isPackage():
    1.33          if package.installPackage():
    1.34 -            msg=_("Attachment '%(filename)s' installed.") % {'filename': wikiutil.escape(target)}
    1.35 +            msg=_("Attachment '%(filename)s' installed.") % {'filename': target}
    1.36          else:
    1.37 -            msg=_("Installation of '%(filename)s' failed.") % {'filename': wikiutil.escape(target)}
    1.38 +            msg=_("Installation of '%(filename)s' failed.") % {'filename': target}
    1.39          if package.msg != "":
    1.40              msg += "<br><pre>" + wikiutil.escape(package.msg) + "</pre>"
    1.41      else:
    1.42 -        msg = _('The file %s is not a MoinMoin package file.' % wikiutil.escape(target))
    1.43 +        msg = _('The file %s is not a MoinMoin package file.' % target)
    1.44  
    1.45      upload_form(pagename, request, msg=msg)
    1.46  
    1.47 @@ -911,9 +913,9 @@
    1.48                            "files are too big, .zip files only, exist already or "
    1.49                            "reside in folders.") % {'filename': filename}
    1.50          else:
    1.51 -            msg = _('The file %(target)s is not a .zip file.' % target)
    1.52 +            msg = _('The file %(target)s is not a .zip file.' % {'target': filename}) 
    1.53  
    1.54 -    upload_form(pagename, request, msg=wikiutil.escape(msg))
    1.55 +    upload_form(pagename, request, msg=msg)
    1.56  
    1.57  def send_viewfile(pagename, request):
    1.58      _ = request.getText

     2.1 --- a/docs/CHANGES	Sun Jan 20 23:27:48 2008 +0100
     2.2 +++ b/docs/CHANGES	Wed Jan 23 00:54:59 2008 +0100
     2.3 @@ -43,7 +43,7 @@
     2.4      * added missing data/plugin/converter package
     2.5      * Fixed Despam action (same editor grouping was broken), now looking for
     2.6        spam edits in the last 30 days.
     2.7 -    * Fixed XSS issue in login action.
     2.8 +    * Fixed XSS issues in login and AttachFile action.
     2.9      * Security fix: only accept valid user IDs from the cookie.
    2.10  
    2.11  Version 1.5.8:
author	Thomas Waldmann <tw AT waldmann-edv DOT de>
	Wed Jan 23 00:54:59 2008 +0100 (2 years ago)
changeset 856	db212dfc58ef
parent 855	e69a16b6e630
child 857	9108598d9cee
MoinMoin/action/AttachFile.py		file \| annotate \| diff \| revisions
docs/CHANGES		file \| annotate \| diff \| revisions