diff MoinMoin/action/AttachFile.py @ 4539:5c4043e651b3

AttachFile: fix escaping problems (invalid html, but likely no XSS)
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Thu, 29 Jan 2009 21:36:30 +0100
parents 8cb4d34ccbc1
children 0d03855518a4 ca61dedd6fda
line wrap: on
line diff
--- a/MoinMoin/action/AttachFile.py	Tue Jan 27 21:17:55 2009 +0100
+++ b/MoinMoin/action/AttachFile.py	Thu Jan 29 21:36:30 2009 +0100
@@ -400,7 +400,7 @@
     for fname in files:
         url = getAttachUrl(pagename, fname, request, do='view', escaped=1)
         request.write(u'<link rel="Appendix" title="%s" href="%s">\n' % (
-                      wikiutil.escape(fname), url))
+                      wikiutil.escape(fname, 1), url))
 
 
 def send_hotdraw(pagename, request):
@@ -438,7 +438,7 @@
     'pngpath': pngpath, 'timestamp': timestamp,
     'pubpath': pubpath, 'drawpath': drawpath,
     'savelink': savelink, 'pagelink': pagelink, 'helplink': helplink,
-    'basename': wikiutil.escape(basename),
+    'basename': wikiutil.escape(basename, 1),
 })