diff options
| author | Evgeny Fadeev <evgeny.fadeev@gmail.com> | 2013-05-07 23:59:42 -0400 |
|---|---|---|
| committer | Evgeny Fadeev <evgeny.fadeev@gmail.com> | 2013-05-07 23:59:42 -0400 |
| commit | a676a86b6b7a5737d4da4f59f71e037406f88d29 (patch) | |
| tree | c937dec0997b7a961785f239e46c43a9e9135709 | |
| parent | 8ac806f3fd19e2cc08643560432b8bc2f99f6497 (diff) | |
| download | askbot-a676a86b6b7a5737d4da4f59f71e037406f88d29.tar.gz askbot-a676a86b6b7a5737d4da4f59f71e037406f88d29.tar.bz2 askbot-a676a86b6b7a5737d4da4f59f71e037406f88d29.zip | |
fixed some xss issues
| -rw-r--r-- | askbot/templates/users.html | 2 | ||||
| -rw-r--r-- | askbot/utils/functions.py | 3 | ||||
| -rw-r--r-- | askbot/views/commands.py | 2 |
3 files changed, 4 insertions, 3 deletions
diff --git a/askbot/templates/users.html b/askbot/templates/users.html index 5ab4c28a..14e07f7f 100644 --- a/askbot/templates/users.html +++ b/askbot/templates/users.html @@ -63,7 +63,7 @@ <div class="clearfix"></div> </div> {% if search_query %} - <p>{% trans %}users matching query {{search_query}}:{% endtrans %}</p> + <p>{% trans search_query=search_query|escape %}users matching query {{search_query}}:{% endtrans %}</p> {% endif %} {% if not users.object_list %} <p><span>{% trans %}Nothing found.{% endtrans %}</span></p> diff --git a/askbot/utils/functions.py b/askbot/utils/functions.py index 592dcf43..ba9df877 100644 --- a/askbot/utils/functions.py +++ b/askbot/utils/functions.py @@ -3,6 +3,7 @@ import random import datetime from django.utils.translation import ugettext as _ from django.utils.translation import ungettext +from django.utils.html import escape def get_from_dict_or_object(source, key): try: @@ -158,7 +159,7 @@ def setup_paginator(context): next_page_number = None return { - "base_url": context["base_url"], + "base_url": escape(context["base_url"]), "is_paginated": context["is_paginated"], "previous": previous_page_number, "has_previous": page_object.has_previous(), diff --git a/askbot/views/commands.py b/askbot/views/commands.py index 207a0615..dee8d1e4 100644 --- a/askbot/views/commands.py +++ b/askbot/views/commands.py @@ -699,7 +699,7 @@ def subscribe_for_tags(request): else: message = _( 'Tag subscription was canceled (<a href="%(url)s">undo</a>).' - ) % {'url': request.path + '?tags=' + request.REQUEST['tags']} + ) % {'url': escape(request.path) + '?tags=' + request.REQUEST['tags']} request.user.message_set.create(message = message) return HttpResponseRedirect(reverse('index')) else: |