changeset 5674:68ba3cc79513

Fixed MoinMoinBugs/1.9.2XSSTemplateParameter by escaping template name in messages.
author Eugene Syromyatnikov <evgsyr@gmail.com>
date Thu, 03 Jun 2010 12:47:36 +0400
parents 07595b99ffb8
children de7d4e43d3aa
files MoinMoin/PageEditor.py
diffstat 1 files changed, 4 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/PageEditor.py	Sun May 30 23:00:57 2010 +0200
+++ b/MoinMoin/PageEditor.py	Thu Jun 03 12:47:36 2010 +0400
@@ -278,14 +278,15 @@
         elif 'template' in request.values:
             # If the page does not exist, we try to get the content from the template parameter.
             template_page = wikiutil.unquoteWikiname(request.values['template'])
+            template_page_escaped = wikiutil.escape(template_page)
             if request.user.may.read(template_page):
                 raw_body = Page(request, template_page).get_raw_body()
                 if raw_body:
-                    request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page, ), 'info')
+                    request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page_escaped, ), 'info')
                 else:
-                    request.theme.add_msg(_("[Template %s not found]") % (template_page, ), 'warning')
+                    request.theme.add_msg(_("[Template %s not found]") % (template_page_escaped, ), 'warning')
             else:
-                request.theme.add_msg(_("[You may not read %s]") % (template_page, ), 'error')
+                request.theme.add_msg(_("[You may not read %s]") % (template_page_escaped, ), 'error')
 
         # Make backup on previews - but not for new empty pages
         if not use_draft and preview and raw_body: