comparison MoinMoin/PageGraphicalEditor.py @ 5685:37306fba2189

Fixing security issues related to MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg (possible XSS)
author Eugene Syromyatnikov <evgsyr@gmail.com>
date Fri, 04 Jun 2010 00:13:24 +0400
parents b757ecd984fb
children 4238b0c90871
comparison
equal deleted inserted replaced
5684:0d76fbaa3cd9 5685:37306fba2189
169 # TODO: maybe warn if template argument was ignored because the page exists? 169 # TODO: maybe warn if template argument was ignored because the page exists?
170 raw_body = self.get_raw_body() 170 raw_body = self.get_raw_body()
171 elif 'template' in form: 171 elif 'template' in form:
172 # If the page does not exist, we try to get the content from the template parameter. 172 # If the page does not exist, we try to get the content from the template parameter.
173 template_page = wikiutil.unquoteWikiname(form['template'][0]) 173 template_page = wikiutil.unquoteWikiname(form['template'][0])
174 template_page_escaped = wikiutil.escape(template_page)
174 if request.user.may.read(template_page): 175 if request.user.may.read(template_page):
175 raw_body = Page(request, template_page).get_raw_body() 176 raw_body = Page(request, template_page).get_raw_body()
176 if raw_body: 177 if raw_body:
177 request.write(_("[Content of new page loaded from %s]") % (template_page, ), '<br>') 178 request.write(_("[Content of new page loaded from %s]") % (template_page_escaped, ), '<br>')
178 else: 179 else:
179 request.write(_("[Template %s not found]") % (template_page, ), '<br>') 180 request.write(_("[Template %s not found]") % (template_page_escaped, ), '<br>')
180 else: 181 else:
181 request.write(_("[You may not read %s]") % (template_page, ), '<br>') 182 request.write(_("[You may not read %s]") % (template_page_escaped, ), '<br>')
182 183
183 # Make backup on previews - but not for new empty pages 184 # Make backup on previews - but not for new empty pages
184 if not use_draft and preview and raw_body: 185 if not use_draft and preview and raw_body:
185 self._save_draft(raw_body, rev) 186 self._save_draft(raw_body, rev)
186 187