changeset 4235:8cb4d34ccbc1

fix AttachFile XSS issues
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sun, 11 Jan 2009 22:18:04 +0100
parents af8cea9bfcda
children 2420b2aa34e8 dffb00e59a3d
files MoinMoin/action/AttachFile.py
diffstat 1 files changed, 2 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/AttachFile.py	Wed Jan 07 01:17:06 2009 +0100
+++ b/MoinMoin/action/AttachFile.py	Sun Jan 11 22:18:04 2009 +0100
@@ -438,7 +438,7 @@
     'pngpath': pngpath, 'timestamp': timestamp,
     'pubpath': pubpath, 'drawpath': drawpath,
     'savelink': savelink, 'pagelink': pagelink, 'helplink': helplink,
-    'basename': basename
+    'basename': wikiutil.escape(basename),
 })
 
 
@@ -482,7 +482,7 @@
     'action_name': action_name,
     'upload_label_file': _('File to upload'),
     'upload_label_rename': _('Rename to'),
-    'rename': request.form.get('rename', [''])[0],
+    'rename': wikiutil.escape(request.form.get('rename', [''])[0], 1),
     'upload_label_overwrite': _('Overwrite existing attachment of same name'),
     'overwrite_checked': ('', 'checked')[request.form.get('overwrite', ['0'])[0] == '1'],
     'upload_button': _('Upload'),