allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From brond...@apache.org
Subject [2/2] git commit: [#7560] better HTML construction to avoid injection attacks, in case error message might have user-entered text
Date Wed, 24 Sep 2014 14:26:33 GMT
[#7560] better HTML construction to avoid injection attacks, in case error message might have
user-entered text


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/da263158
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/da263158
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/da263158

Branch: refs/heads/master
Commit: da263158c5bc889ef173b99d8a0acb162bd14d4f
Parents: 60ca822
Author: Dave Brondsema <dbrondsema@slashdotmedia.com>
Authored: Wed Sep 24 14:15:19 2014 +0000
Committer: Dave Brondsema <dbrondsema@slashdotmedia.com>
Committed: Wed Sep 24 14:15:19 2014 +0000

----------------------------------------------------------------------
 ForgeTracker/forgetracker/widgets/ticket_form.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/da263158/ForgeTracker/forgetracker/widgets/ticket_form.py
----------------------------------------------------------------------
diff --git a/ForgeTracker/forgetracker/widgets/ticket_form.py b/ForgeTracker/forgetracker/widgets/ticket_form.py
index 4248b38..0ac3973 100644
--- a/ForgeTracker/forgetracker/widgets/ticket_form.py
+++ b/ForgeTracker/forgetracker/widgets/ticket_form.py
@@ -78,7 +78,7 @@ class GenericTicketForm(ew.SimpleForm):
 
         display = field.display(**ctx)
         if ctx['errors'] and field.show_errors and not ignore_errors:
-            display += literal("<div class='error'>{0}</div>".format(ctx['errors']))
+            display += literal("<div class='error'>") + ctx['errors'] + literal("</div>")
         return display
 
     def _add_current_value_to_user_field(self, field, user):


Mime
View raw message