fix XSS issue, escape page name in rss link
authorThomas Waldmann <tw AT waldmann-edv DOT de>
Sat, 08 Dec 2012 21:55:29 +0100
changeset 5900c98ec456e493
parent 5899 d0567fba754e
child 5901 b9450db6c129
fix XSS issue, escape page name in rss link
MoinMoin/theme/__init__.py
     1.1 --- a/MoinMoin/theme/__init__.py	Sat Dec 08 21:47:40 2012 +0100
     1.2 +++ b/MoinMoin/theme/__init__.py	Sat Dec 08 21:55:29 2012 +0100
     1.3 @@ -904,7 +904,8 @@
     1.4          elif rss_supported and self.cfg.rss_show_page_history_link:
     1.5              link = (u'<link rel="alternate" title="%s: %s" '
     1.6                      u'href="%s" type="application/rss+xml">') % (
     1.7 -                        wikiutil.escape(self.cfg.sitename, True), page.page_name,
     1.8 +                        wikiutil.escape(self.cfg.sitename, True),
     1.9 +                        wikiutil.escape(page.page_name, True),
    1.10                          wikiutil.escape(page.url(self.request, querystr={
    1.11                              'action': 'rss_rc', 'ddiffs': '1', 'unique': '0',
    1.12                              'diffs': '1', 'show_att': '1',