changeset 5900:c98ec456e493

fix XSS issue, escape page name in rss link
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sat, 08 Dec 2012 21:55:29 +0100
parents d0567fba754e
children b9450db6c129
files MoinMoin/theme/__init__.py
diffstat 1 files changed, 2 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/theme/__init__.py	Sat Dec 08 21:47:40 2012 +0100
+++ b/MoinMoin/theme/__init__.py	Sat Dec 08 21:55:29 2012 +0100
@@ -904,7 +904,8 @@
         elif rss_supported and self.cfg.rss_show_page_history_link:
             link = (u'<link rel="alternate" title="%s: %s" '
                     u'href="%s" type="application/rss+xml">') % (
-                        wikiutil.escape(self.cfg.sitename, True), page.page_name,
+                        wikiutil.escape(self.cfg.sitename, True),
+                        wikiutil.escape(page.page_name, True),
                         wikiutil.escape(page.url(self.request, querystr={
                             'action': 'rss_rc', 'ddiffs': '1', 'unique': '0',
                             'diffs': '1', 'show_att': '1',