fix XSS in Despam action (CVE-2010-0828) - thanks to Jamie Strandboge (Ubuntu) for fixing
authorThomas Waldmann <tw AT waldmann-edv DOT de>
Tue, 30 Mar 2010 22:19:42 +0200
changeset 56376e603e5411ca
parent 5586 369a2c879eb6
child 5638 788131dd21c3
child 5684 0d76fbaa3cd9
fix XSS in Despam action (CVE-2010-0828) - thanks to Jamie Strandboge (Ubuntu) for fixing

Bug-Ubuntu: https://launchpad.net/bugs/538022
MoinMoin/action/Despam.py
     1.1 --- a/MoinMoin/action/Despam.py	Thu Feb 25 16:51:33 2010 +0100
     1.2 +++ b/MoinMoin/action/Despam.py	Tue Mar 30 22:19:42 2010 +0200
     1.3 @@ -173,14 +173,14 @@
     1.4              if repr(line.getInterwikiEditorData(request)) == editor:
     1.5                  revertpages.append(line.pagename)
     1.6  
     1.7 -    request.write("Pages to revert:<br>%s" % "<br>".join(revertpages))
     1.8 +    request.write("Pages to revert:<br>%s" % "<br>".join([wikiutil.escape(p) for p in revertpages]))
     1.9      for pagename in revertpages:
    1.10 -        request.write("Begin reverting %s ...<br>" % pagename)
    1.11 +        request.write("Begin reverting %s ...<br>" % wikiutil.escape(pagename))
    1.12          msg = revert_page(request, pagename, editor)
    1.13          if msg:
    1.14              request.write("<p>%s: %s</p>" % (
    1.15                  Page.Page(request, pagename).link_to(request), msg))
    1.16 -        request.write("Finished reverting %s.<br>" % pagename)
    1.17 +        request.write("Finished reverting %s.<br>" % wikiutil.escape(pagename))
    1.18  
    1.19  def execute(pagename, request):
    1.20      _ = request.getText