Fixed MoinMoinBugs/1.9.2XSSTemplateParameter by escaping template name in messages.
authorEugene Syromyatnikov <evgsyr@gmail.com>
Thu, 03 Jun 2010 12:47:36 +0400
changeset 567468ba3cc79513
parent 5673 07595b99ffb8
child 5675 de7d4e43d3aa
Fixed MoinMoinBugs/1.9.2XSSTemplateParameter by escaping template name in messages.
MoinMoin/PageEditor.py
     1.1 --- a/MoinMoin/PageEditor.py	Sun May 30 23:00:57 2010 +0200
     1.2 +++ b/MoinMoin/PageEditor.py	Thu Jun 03 12:47:36 2010 +0400
     1.3 @@ -278,14 +278,15 @@
     1.4          elif 'template' in request.values:
     1.5              # If the page does not exist, we try to get the content from the template parameter.
     1.6              template_page = wikiutil.unquoteWikiname(request.values['template'])
     1.7 +            template_page_escaped = wikiutil.escape(template_page)
     1.8              if request.user.may.read(template_page):
     1.9                  raw_body = Page(request, template_page).get_raw_body()
    1.10                  if raw_body:
    1.11 -                    request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page, ), 'info')
    1.12 +                    request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page_escaped, ), 'info')
    1.13                  else:
    1.14 -                    request.theme.add_msg(_("[Template %s not found]") % (template_page, ), 'warning')
    1.15 +                    request.theme.add_msg(_("[Template %s not found]") % (template_page_escaped, ), 'warning')
    1.16              else:
    1.17 -                request.theme.add_msg(_("[You may not read %s]") % (template_page, ), 'error')
    1.18 +                request.theme.add_msg(_("[You may not read %s]") % (template_page_escaped, ), 'error')
    1.19  
    1.20          # Make backup on previews - but not for new empty pages
    1.21          if not use_draft and preview and raw_body: