# HG changeset patch # User Eugene Syromyatnikov # Date 1275554856 -14400 # Node ID 68ba3cc79513d792ae4e5ce90ec946eec23daf9a # Parent 07595b99ffb8f112d5ca4adb5145814b49b241f0 Fixed MoinMoinBugs/1.9.2XSSTemplateParameter by escaping template name in messages. diff -r 07595b99ffb8 -r 68ba3cc79513 MoinMoin/PageEditor.py --- a/MoinMoin/PageEditor.py Sun May 30 23:00:57 2010 +0200 +++ b/MoinMoin/PageEditor.py Thu Jun 03 12:47:36 2010 +0400 @@ -278,14 +278,15 @@ elif 'template' in request.values: # If the page does not exist, we try to get the content from the template parameter. template_page = wikiutil.unquoteWikiname(request.values['template']) + template_page_escaped = wikiutil.escape(template_page) if request.user.may.read(template_page): raw_body = Page(request, template_page).get_raw_body() if raw_body: - request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page, ), 'info') + request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page_escaped, ), 'info') else: - request.theme.add_msg(_("[Template %s not found]") % (template_page, ), 'warning') + request.theme.add_msg(_("[Template %s not found]") % (template_page_escaped, ), 'warning') else: - request.theme.add_msg(_("[You may not read %s]") % (template_page, ), 'error') + request.theme.add_msg(_("[You may not read %s]") % (template_page_escaped, ), 'error') # Make backup on previews - but not for new empty pages if not use_draft and preview and raw_body: