changeset 4700:269a1fbc3ed7

AttachFile move: add more escaping (maybe not XSS exploitable though)
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sat, 18 Apr 2009 19:09:16 +0200
parents 5f51246a4df1
children d8049de69c4f
files MoinMoin/action/AttachFile.py
diffstat 1 files changed, 2 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/AttachFile.py	Sat Apr 18 18:58:25 2009 +0200
+++ b/MoinMoin/action/AttachFile.py	Sat Apr 18 19:09:16 2009 +0200
@@ -749,9 +749,9 @@
          'baseurl': request.getScriptname(),
          'do': 'attachment_move',
          'ticket': wikiutil.createTicket(request),
-         'pagename': pagename,
+         'pagename': wikiutil.escape(pagename, 1),
          'pagename_quoted': wikiutil.quoteWikinameURL(pagename),
-         'attachment_name': filename,
+         'attachment_name': wikiutil.escape(filename, 1),
          'move': _('Move'),
          'cancel': _('Cancel'),
          'newname_label': _("New page name"),