Merge lp:~wgrant/launchpad/bug-739915 into lp:launchpad
Proposed by
William Grant
Status: | Merged | ||||
---|---|---|---|---|---|
Approved by: | Robert Collins | ||||
Approved revision: | no longer in the source branch. | ||||
Merged at revision: | 12642 | ||||
Proposed branch: | lp:~wgrant/launchpad/bug-739915 | ||||
Merge into: | lp:launchpad | ||||
Diff against target: |
19 lines (+2/-2) 1 file modified
lib/lp/app/templates/base-layout-macros.pt (+2/-2) |
||||
To merge this branch: | bzr merge lp:~wgrant/launchpad/bug-739915 | ||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Robert Collins (community) | Approve | ||
Review via email: mp+54296@code.launchpad.net |
Commit message
[r=lifeless][bug=739915] Escape JSON in LP.cache entries.
Description of the change
LP.cache entries need to be escaped, or HTML in strings will be parsed by the browser. That's not optimal.
If IE did not exist then we could use XHTML, where <script> is PCDATA and the escaped JS would have entities expanded. But HTML's <script> is CDATA, so we have to live with some over-escaped values in the cache. Despite how bad this sounds, it won't affect URLs, and it worked fine until this vulnerability was introduced a month ago.
To post a comment you must log in.