Fixed
MoinMoinBugs/1.9.2XSSTemplateParameter by escaping template name in messages.
1.1 --- a/MoinMoin/PageEditor.py Sun May 30 23:00:57 2010 +0200
1.2 +++ b/MoinMoin/PageEditor.py Thu Jun 03 12:47:36 2010 +0400
1.3 @@ -278,14 +278,15 @@
1.4 elif 'template' in request.values:
1.5 # If the page does not exist, we try to get the content from the template parameter.
1.6 template_page = wikiutil.unquoteWikiname(request.values['template'])
1.7 + template_page_escaped = wikiutil.escape(template_page)
1.8 if request.user.may.read(template_page):
1.9 raw_body = Page(request, template_page).get_raw_body()
1.10 if raw_body:
1.11 - request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page, ), 'info')
1.12 + request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page_escaped, ), 'info')
1.13 else:
1.14 - request.theme.add_msg(_("[Template %s not found]") % (template_page, ), 'warning')
1.15 + request.theme.add_msg(_("[Template %s not found]") % (template_page_escaped, ), 'warning')
1.16 else:
1.17 - request.theme.add_msg(_("[You may not read %s]") % (template_page, ), 'error')
1.18 + request.theme.add_msg(_("[You may not read %s]") % (template_page_escaped, ), 'error')
1.19
1.20 # Make backup on previews - but not for new empty pages
1.21 if not use_draft and preview and raw_body: