diff MoinMoin/action/login.py @ 5685:37306fba2189

Fixing security issues related to MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg (possible XSS)
author Eugene Syromyatnikov <evgsyr@gmail.com>
date Fri, 04 Jun 2010 00:13:24 +0400
parents 2a3a6cb34e45
children 4238b0c90871 f8871116c6b3
line wrap: on
line diff
--- a/MoinMoin/action/login.py	Fri Jun 04 00:08:29 2010 +0400
+++ b/MoinMoin/action/login.py	Fri Jun 04 00:13:24 2010 +0400
@@ -68,7 +68,7 @@
             if hasattr(request, '_login_messages'):
                 for msg in request._login_messages:
                     error.append('<p>')
-                    error.append(msg)
+                    error.append(wikiutil.escape(msg))
                 error = ''.join(error)
             request.theme.add_msg(error, "error")
             return self.page.send_page()