diff MoinMoin/items/__init__.py @ 17:41e2918dcafd

escape metadata to avoid XSS / html / js injection via item_name, comment or other user-settable metadata (should fix #3 )
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Thu, 24 Feb 2011 00:36:31 +0100
parents 5568cf133caf
children fe47d0977895
line wrap: on
line diff
--- a/MoinMoin/items/__init__.py	Thu Feb 24 00:00:53 2011 +0100
+++ b/MoinMoin/items/__init__.py	Thu Feb 24 00:36:31 2011 +0100
@@ -613,7 +613,7 @@
     data = property(fget=get_data)
 
     def _render_meta(self):
-        return "<pre>%s</pre>" % self.meta_dict_to_text(self.meta, use_filter=False)
+        return "<pre>%s</pre>" % escape(self.meta_dict_to_text(self.meta, use_filter=False))
 
     def get_templates(self, mimetype=None):
         """ create a list of templates (for some specific mimetype) """