Merge lp:~wgrant/launchpad/bug-739915 into lp:launchpad

Proposed by William Grant
Status: Merged
Approved by: Robert Collins
Approved revision: no longer in the source branch.
Merged at revision: 12642
Proposed branch: lp:~wgrant/launchpad/bug-739915
Merge into: lp:launchpad
Diff against target: 19 lines (+2/-2)
1 file modified
lib/lp/app/templates/ (+2/-2)
To merge this branch: bzr merge lp:~wgrant/launchpad/bug-739915
Reviewer Review Type Date Requested Status
Robert Collins (community) Approve
Review via email:

Commit message

[r=lifeless][bug=739915] Escape JSON in LP.cache entries.

Description of the change

LP.cache entries need to be escaped, or HTML in strings will be parsed by the browser. That's not optimal.

If IE did not exist then we could use XHTML, where <script> is PCDATA and the escaped JS would have entities expanded. But HTML's <script> is CDATA, so we have to live with some over-escaped values in the cache. Despite how bad this sounds, it won't affect URLs, and it worked fine until this vulnerability was introduced a month ago.

To post a comment you must log in.
Revision history for this message
Robert Collins (lifeless) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'lib/lp/app/templates/'
2--- lib/lp/app/templates/ 2011-02-28 01:09:21 +0000
3+++ lib/lp/app/templates/ 2011-03-22 05:39:31 +0000
4@@ -170,13 +170,13 @@
5 '${links/?key/fmt:api_url}';">
6 </script>
7 <script tal:repeat="key objects"
8- tal:content="structure string:LP.cache['${key}'] =
9+ tal:content="string:LP.cache['${key}'] =
10 ${objects/?key/webservice:json};">
11 </script>
12 </tal:cache>
14 <script tal:condition="context/webservice:is_entry"
15- tal:content="structure string:LP.cache['context'] =
16+ tal:content="string:LP.cache['context'] =
17 ${context/webservice:json};">
18 </script>
19 </metal:lp-client-cache>