Mercurial > moin > 1.9
changeset 5674:68ba3cc79513
Fixed MoinMoinBugs/1.9.2XSSTemplateParameter by escaping template name in messages.
| author | Eugene Syromyatnikov <evgsyr@gmail.com> |
|---|---|
| date | Thu, 03 Jun 2010 12:47:36 +0400 |
| parents | 07595b99ffb8 |
| children | de7d4e43d3aa |
| files | MoinMoin/PageEditor.py |
| diffstat | 1 files changed, 4 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/MoinMoin/PageEditor.py Sun May 30 23:00:57 2010 +0200 +++ b/MoinMoin/PageEditor.py Thu Jun 03 12:47:36 2010 +0400 @@ -278,14 +278,15 @@ elif 'template' in request.values: # If the page does not exist, we try to get the content from the template parameter. template_page = wikiutil.unquoteWikiname(request.values['template']) + template_page_escaped = wikiutil.escape(template_page) if request.user.may.read(template_page): raw_body = Page(request, template_page).get_raw_body() if raw_body: - request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page, ), 'info') + request.theme.add_msg(_("[Content of new page loaded from %s]") % (template_page_escaped, ), 'info') else: - request.theme.add_msg(_("[Template %s not found]") % (template_page, ), 'warning') + request.theme.add_msg(_("[Template %s not found]") % (template_page_escaped, ), 'warning') else: - request.theme.add_msg(_("[You may not read %s]") % (template_page, ), 'error') + request.theme.add_msg(_("[You may not read %s]") % (template_page_escaped, ), 'error') # Make backup on previews - but not for new empty pages if not use_draft and preview and raw_body: