Mercurial > moin > 1.9
changeset 2780:28b851be0844
fix gui editot formatter XSS issues
author | Thomas Waldmann <tw AT waldmann-edv DOT de> |
---|---|
date | Tue, 28 Aug 2007 14:10:33 +0200 |
parents | c9dd12befda7 |
children | 5507fdc7fe87 |
files | MoinMoin/formatter/text_gedit.py |
diffstat | 1 files changed, 3 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/MoinMoin/formatter/text_gedit.py Tue Aug 28 13:43:11 2007 +0200 +++ b/MoinMoin/formatter/text_gedit.py Tue Aug 28 14:10:33 2007 +0200 @@ -57,6 +57,8 @@ return self.url(1, href, title=title, css=html_class) # interwiki links with pages with umlauts def attachment_inlined(self, url, text, **kw): + url = wikiutil.escape(url) + text = wikiutil.escape(text) if url == text: return '<span style="background-color:#ffff11">inline:%s</span>' % url else: @@ -133,7 +135,7 @@ result = "<<%s(%s)>>" % (name, args) else: result = "<<%s>>" % name - return '<span style="background-color:#ffff11">%s</span>' % result # XXX XSS needs escaping! + return '<span style="background-color:#ffff11">%s</span>' % wikiutil.escape(result) def parser(self, parser_name, lines): """ parser_name MUST be valid!