From bbfd15cf954f1041490d6d299d8ed5b581d431ba Mon Sep 17 00:00:00 2001
From: Frank Lichtenheld <frank@lichtenheld.de>
Date: Tue, 18 Sep 2007 23:11:57 +0200
Subject: [PATCH 1/1] html/messages.tmpl: Fix XSS vulneralibility

Noted by Moritz Naumann <security -at- moritz-naumann com>

Since error messages can contain user content, escape them
for display.
---
 templates/html/messages.tmpl | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/templates/html/messages.tmpl b/templates/html/messages.tmpl
index 3d8b6a6..7c9c611 100644
--- a/templates/html/messages.tmpl
+++ b/templates/html/messages.tmpl
@@ -1,31 +1,31 @@
 <!-- messages.tmpl -->
 [%- FOREACH error IN errors %]
 [%- '<div class="perror">' IF loop.first %]
- <p>[% error %]</p>
+ <p>[% error | html %]</p>
 [% '</div>' IF loop.last -%]
 [% END -%]
 [%- FOREACH debug IN debugs %]
 [%- '<div class="pdebug"><h2>Debugging:</h2><pre>' IF loop.first -%]
-[% debug %]
+[% debug | html %]
 [% '</pre></div>' IF loop.last -%]
 [% END -%]
 [%- FOREACH hint IN hints %]
 [%- '<div class="phints">' IF loop.first %]
- <p>[% hint %]</p>
+ <p>[% hint | html %]</p>
 [% '</div>' IF loop.last -%]
 [% END -%]
 [%- FOREACH msg IN msgs %]
 [%- '<div class="pmsgs">' IF loop.first %]
- <p>[% msg %]</p>
+ <p>[% msg | html %]</p>
 [% '</div>' IF loop.last -%]
 [% END -%]
 [%- FOREACH note IN notes %]
 [%- '<div class="pnotes">' IF loop.first %]
 [%- IF note.1 %]
- <h2>[% note.0 %]</h2>
- <p>[% note.1 %]</p>
+ <h2>[% note.0 | html %]</h2>
+ <p>[% note.1 | html %]</p>
 [% ELSE %]
- <p>[% note.0 %]</p>
+ <p>[% note.0 | html %]</p>
 [% END -%]
 [% '</div>' IF loop.last -%]
 [% END -%]
-- 
2.39.2