diff MoinMoin/PageGraphicalEditor.py @ 5685:37306fba2189

Fixing security issues related to MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg (possible XSS)
author Eugene Syromyatnikov <evgsyr@gmail.com>
date Fri, 04 Jun 2010 00:13:24 +0400
parents b757ecd984fb
children 4238b0c90871
line wrap: on
line diff
--- a/MoinMoin/PageGraphicalEditor.py	Fri Jun 04 00:08:29 2010 +0400
+++ b/MoinMoin/PageGraphicalEditor.py	Fri Jun 04 00:13:24 2010 +0400
@@ -171,14 +171,15 @@
         elif 'template' in form:
             # If the page does not exist, we try to get the content from the template parameter.
             template_page = wikiutil.unquoteWikiname(form['template'][0])
+            template_page_escaped = wikiutil.escape(template_page)
             if request.user.may.read(template_page):
                 raw_body = Page(request, template_page).get_raw_body()
                 if raw_body:
-                    request.write(_("[Content of new page loaded from %s]") % (template_page, ), '<br>')
+                    request.write(_("[Content of new page loaded from %s]") % (template_page_escaped, ), '<br>')
                 else:
-                    request.write(_("[Template %s not found]") % (template_page, ), '<br>')
+                    request.write(_("[Template %s not found]") % (template_page_escaped, ), '<br>')
             else:
-                request.write(_("[You may not read %s]") % (template_page, ), '<br>')
+                request.write(_("[You may not read %s]") % (template_page_escaped, ), '<br>')
 
         # Make backup on previews - but not for new empty pages
         if not use_draft and preview and raw_body: