changeset 17:41e2918dcafd

escape metadata to avoid XSS / html / js injection via item_name, comment or other user-settable metadata (should fix #3 )
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Thu, 24 Feb 2011 00:36:31 +0100
parents f835165ac6f8
children e2cf59f5a802
files MoinMoin/items/__init__.py
diffstat 1 files changed, 1 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/items/__init__.py	Thu Feb 24 00:00:53 2011 +0100
+++ b/MoinMoin/items/__init__.py	Thu Feb 24 00:36:31 2011 +0100
@@ -613,7 +613,7 @@
     data = property(fget=get_data)
 
     def _render_meta(self):
-        return "<pre>%s</pre>" % self.meta_dict_to_text(self.meta, use_filter=False)
+        return "<pre>%s</pre>" % escape(self.meta_dict_to_text(self.meta, use_filter=False))
 
     def get_templates(self, mimetype=None):
         """ create a list of templates (for some specific mimetype) """