changeset 2780:28b851be0844

fix gui editot formatter XSS issues
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Tue, 28 Aug 2007 14:10:33 +0200
parents c9dd12befda7
children 5507fdc7fe87
files MoinMoin/formatter/text_gedit.py
diffstat 1 files changed, 3 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/formatter/text_gedit.py	Tue Aug 28 13:43:11 2007 +0200
+++ b/MoinMoin/formatter/text_gedit.py	Tue Aug 28 14:10:33 2007 +0200
@@ -57,6 +57,8 @@
         return self.url(1, href, title=title, css=html_class) # interwiki links with pages with umlauts
 
     def attachment_inlined(self, url, text, **kw):
+        url = wikiutil.escape(url)
+        text = wikiutil.escape(text)
         if url == text:
             return '<span style="background-color:#ffff11">inline:%s</span>' % url
         else:
@@ -133,7 +135,7 @@
             result = "<<%s(%s)>>" % (name, args)
         else:
             result = "<<%s>>" % name
-        return '<span style="background-color:#ffff11">%s</span>' % result # XXX XSS needs escaping!
+        return '<span style="background-color:#ffff11">%s</span>' % wikiutil.escape(result)
 
     def parser(self, parser_name, lines):
         """ parser_name MUST be valid!