From: Frank Lichtenheld Date: Tue, 18 Sep 2007 21:11:57 +0000 (+0200) Subject: html/messages.tmpl: Fix XSS vulneralibility X-Git-Url: https://git.deb.at/w?a=commitdiff_plain;h=bbfd15cf954f1041490d6d299d8ed5b581d431ba;p=deb%2Fpackages.git html/messages.tmpl: Fix XSS vulneralibility Noted by Moritz Naumann Since error messages can contain user content, escape them for display. --- diff --git a/templates/html/messages.tmpl b/templates/html/messages.tmpl index 3d8b6a6..7c9c611 100644 --- a/templates/html/messages.tmpl +++ b/templates/html/messages.tmpl @@ -1,31 +1,31 @@ [%- FOREACH error IN errors %] [%- '
' IF loop.first %] -

[% error %]

+

[% error | html %]

[% '
' IF loop.last -%] [% END -%] [%- FOREACH debug IN debugs %] [%- '

Debugging:

' IF loop.first -%]
-[% debug %]
+[% debug | html %]
 [% '
' IF loop.last -%] [% END -%] [%- FOREACH hint IN hints %] [%- '
' IF loop.first %] -

[% hint %]

+

[% hint | html %]

[% '
' IF loop.last -%] [% END -%] [%- FOREACH msg IN msgs %] [%- '
' IF loop.first %] -

[% msg %]

+

[% msg | html %]

[% '
' IF loop.last -%] [% END -%] [%- FOREACH note IN notes %] [%- '
' IF loop.first %] [%- IF note.1 %] -

[% note.0 %]

-

[% note.1 %]

+

[% note.0 | html %]

+

[% note.1 | html %]

[% ELSE %] -

[% note.0 %]

+

[% note.0 | html %]

[% END -%] [% '
' IF loop.last -%] [% END -%]