Merge lp:~rharding/launchpad/xss_911632 into lp:launchpad
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | Richard Harding | ||||
Approved revision: | no longer in the source branch. | ||||
Merged at revision: | 14642 | ||||
Proposed branch: | lp:~rharding/launchpad/xss_911632 | ||||
Merge into: | lp:launchpad | ||||
Diff against target: |
21 lines (+2/-2) 1 file modified
lib/lp/code/browser/branchlisting.py (+2/-2) |
||||
To merge this branch: | bzr merge lp:~rharding/launchpad/xss_911632 | ||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Aaron Bentley (community) | Approve | ||
Review via email: mp+87507@code.launchpad.net |
Commit message
[r=abentley][bug=911632] Fix template to escape output of no branch message.
Description of the change
= Summary =
A user discovered that there was a XSS script avenue in the code branch listing page for a user.
== Proposed Fix ==
The template was using a content:structure that prevented escaping of the html entities.
== Implementation Details ==
In searching, no one implementing the no_branch_message had any html in the constructed message. The structure was just removed to allow for escaping to take place at the template level.
== Tests ==
./bin/test -cvvt test_branchlisting
== Demo and Q/A ==
A user's full name needs to be changed to "'/><script>
I'd prefer it if this used getViewBrowser, as it's simpler. But either way works.