diff options
| author | Evgeny Fadeev <evgeny.fadeev@gmail.com> | 2012-01-11 01:03:10 -0300 |
|---|---|---|
| committer | Evgeny Fadeev <evgeny.fadeev@gmail.com> | 2012-01-11 01:08:32 -0300 |
| commit | cd27a074dbe66de033b3bbf8d25eafc44578729e (patch) | |
| tree | edcd407b8c57db7010773687826bc8c937f72122 | |
| parent | b7509cdeeff8b3431915bc16d92a8ae2de9a824c (diff) | |
| download | askbot-cd27a074dbe66de033b3bbf8d25eafc44578729e.tar.gz askbot-cd27a074dbe66de033b3bbf8d25eafc44578729e.tar.bz2 askbot-cd27a074dbe66de033b3bbf8d25eafc44578729e.zip | |
xss vulnerability fix and new release
| -rw-r--r-- | askbot/__init__.py | 2 | ||||
| -rw-r--r-- | askbot/doc/source/changelog.rst | 4 | ||||
| -rw-r--r-- | askbot/skins/common/templates/authopenid/signin.html | 4 | ||||
| -rw-r--r-- | askbot/skins/default/templates/close.html | 2 | ||||
| -rw-r--r-- | askbot/skins/default/templates/question.html | 2 | ||||
| -rw-r--r-- | askbot/skins/default/templates/question/question_card.html | 2 | ||||
| -rw-r--r-- | askbot/skins/default/templates/question/sidebar.html | 2 | ||||
| -rw-r--r-- | askbot/skins/default/templates/question_retag.html | 2 | ||||
| -rw-r--r-- | askbot/skins/default/templates/question_widget.html | 2 | ||||
| -rw-r--r-- | askbot/skins/default/templates/reopen.html | 2 | ||||
| -rw-r--r-- | askbot/skins/default/templates/revisions.html | 2 | ||||
| -rw-r--r-- | askbot/skins/default/templates/user_profile/user_recent.html | 2 | ||||
| -rw-r--r-- | askbot/skins/default/templates/user_profile/user_stats.html | 6 | ||||
| -rw-r--r-- | askbot/skins/default/templates/widgets/ask_form.html | 2 |
14 files changed, 20 insertions, 16 deletions
diff --git a/askbot/__init__.py b/askbot/__init__.py index 7b12329c..eba7d205 100644 --- a/askbot/__init__.py +++ b/askbot/__init__.py @@ -9,7 +9,7 @@ import smtplib import sys import logging -VERSION = (0, 7, 37) +VERSION = (0, 7, 38) #keys are module names used by python imports, #values - the package qualifier to use for pip diff --git a/askbot/doc/source/changelog.rst b/askbot/doc/source/changelog.rst index ce18fe11..bd67fd48 100644 --- a/askbot/doc/source/changelog.rst +++ b/askbot/doc/source/changelog.rst @@ -1,6 +1,10 @@ Changes in Askbot ================= +0.7.38 (Jan 11, 2012) +--------------------- +* xss vulnerability fix, issue found by Radim Řehůřek (Evgeny) + 0.7.37 (Jan 8, 2012) -------------------- * added basic slugification treatment to question titles with diff --git a/askbot/skins/common/templates/authopenid/signin.html b/askbot/skins/common/templates/authopenid/signin.html index 4c894aa3..7fdbe203 100644 --- a/askbot/skins/common/templates/authopenid/signin.html +++ b/askbot/skins/common/templates/authopenid/signin.html @@ -11,14 +11,14 @@ {% endif %}
{% if answer %}
<div class="message">
- {% trans title=answer.question.title, summary=answer.summary %}
+ {% trans title=answer.question.title|escape, summary=answer.summary|escape %}
Your answer to {{title}} {{summary}} will be posted once you log in
{% endtrans %}
</div>
{% endif %}
{% if question %}
<div class="message">
- {% trans title=question.title, summary=question.summary %}Your question
+ {% trans title=question.title|escape, summary=question.summary|escape %}Your question
{{title}} {{summary}} will be posted once you log in
{% endtrans %}
</div>
diff --git a/askbot/skins/default/templates/close.html b/askbot/skins/default/templates/close.html index d8160865..bac2b3ee 100644 --- a/askbot/skins/default/templates/close.html +++ b/askbot/skins/default/templates/close.html @@ -4,7 +4,7 @@ {% block content %} <h1>{% trans %}Close question{% endtrans %}</h1> <p>{% trans %}Close the question{% endtrans %}: <a href="{{ question.get_absolute_url() }}"> - <strong>{{ question.get_question_title() }}</strong></a> + <strong>{{ question.get_question_title()|escape }}</strong></a> </p> <form id="fmclose" action="{% url close question.id %}" method="post" >{% csrf_token %} <p> diff --git a/askbot/skins/default/templates/question.html b/askbot/skins/default/templates/question.html index 7dc85d84..bfabd634 100644 --- a/askbot/skins/default/templates/question.html +++ b/askbot/skins/default/templates/question.html @@ -1,6 +1,6 @@ {% extends "two_column_body.html" %} <!-- question.html --> -{% block title %}{% spaceless %}{{ question.get_question_title() }}{% endspaceless %}{% endblock %} +{% block title %}{% spaceless %}{{ question.get_question_title()|escape }}{% endspaceless %}{% endblock %} {% block meta_description %} <meta name="description" content="{{question.summary|striptags|escape}}" /> {% endblock %} diff --git a/askbot/skins/default/templates/question/question_card.html b/askbot/skins/default/templates/question/question_card.html index 87f92209..3691a224 100644 --- a/askbot/skins/default/templates/question/question_card.html +++ b/askbot/skins/default/templates/question/question_card.html @@ -4,7 +4,7 @@ </div> <div class="question-content"> - <h1><a href="{{ question.get_absolute_url() }}">{{ question.get_question_title() }}</a></h1> + <h1><a href="{{ question.get_absolute_url() }}">{{ question.get_question_title()|escape }}</a></h1> {% include "question/question_tags.html" %} <div id="question-table" {% if question.deleted %}class="deleted"{%endif%}> <div class="question-body"> diff --git a/askbot/skins/default/templates/question/sidebar.html b/askbot/skins/default/templates/question/sidebar.html index 918c7662..f5c3273d 100644 --- a/askbot/skins/default/templates/question/sidebar.html +++ b/askbot/skins/default/templates/question/sidebar.html @@ -64,7 +64,7 @@ <div class="questions-related"> {% for question in similar_questions.data() %} <p> - <a href="{{ question.get_absolute_url() }}">{{ question.get_question_title() }}</a> + <a href="{{ question.get_absolute_url() }}">{{ question.get_question_title()|escape }}</a> </p> {% endfor %} </div> diff --git a/askbot/skins/default/templates/question_retag.html b/askbot/skins/default/templates/question_retag.html index 883dc3aa..e5632820 100644 --- a/askbot/skins/default/templates/question_retag.html +++ b/askbot/skins/default/templates/question_retag.html @@ -5,7 +5,7 @@ <h1>{% trans %}Change tags{% endtrans %} [<a href="{{ question.get_absolute_url() }}">{% trans %}back{% endtrans %}</a>]</h1> <form id="fmretag" action="{% url retag_question question.id %}" method="post" >{% csrf_token %} <h2> - {{ question.get_question_title() }} + {{ question.get_question_title()|escape }} </h2> <div id="description" class="edit-content-html"> {{ question.html }} diff --git a/askbot/skins/default/templates/question_widget.html b/askbot/skins/default/templates/question_widget.html index bb883c71..89e56898 100644 --- a/askbot/skins/default/templates/question_widget.html +++ b/askbot/skins/default/templates/question_widget.html @@ -12,7 +12,7 @@ <ul> {% for question in questions %} <li><a href="{{settings.APP_URL}}{{ question.get_absolute_url() }}"> - {{ question.title }}</a></li> + {{ question.title|escape }}</a></li> {% endfor %} </ul> </div> diff --git a/askbot/skins/default/templates/reopen.html b/askbot/skins/default/templates/reopen.html index d68e8bdc..b287da6f 100644 --- a/askbot/skins/default/templates/reopen.html +++ b/askbot/skins/default/templates/reopen.html @@ -5,7 +5,7 @@ <h1>{% trans %}Reopen question{% endtrans %}</h1> <p>{% trans %}Title{% endtrans %}: <a href="{{ question.get_absolute_url() }}"> - <span class="big">{{ question.get_question_title() }}</span> + <span class="big">{{ question.get_question_title()|escape }}</span> </a> </p> <p>{% trans %}This question has been closed by diff --git a/askbot/skins/default/templates/revisions.html b/askbot/skins/default/templates/revisions.html index 7fb985e2..f86a37ff 100644 --- a/askbot/skins/default/templates/revisions.html +++ b/askbot/skins/default/templates/revisions.html @@ -30,7 +30,7 @@ <td width="200px" style="vertical-align:middle"> {% if revision.summary %} <div class="summary"> - <span>{{ revision.summary }}</span> + <span>{{ revision.summary|escape }}</span> </div> {% endif %} {% if request.user|can_edit_post(post) %} diff --git a/askbot/skins/default/templates/user_profile/user_recent.html b/askbot/skins/default/templates/user_profile/user_recent.html index cbd59202..502af7b6 100644 --- a/askbot/skins/default/templates/user_profile/user_recent.html +++ b/askbot/skins/default/templates/user_profile/user_recent.html @@ -17,7 +17,7 @@ {% if act.related_object_type == 'question' %}{# question #} {% for question in questions %}{# could also create a new dict #} {% if question.question_id == act.obj %} - (<a title="{{question.summary|collapse}}" + (<a title="{{question.summary|collapse|escape}}" href="{% url question question.question_id %}{{question.title|slugify}}">{% trans %}source{% endtrans %}</a>) {% endif %} {% endfor %} diff --git a/askbot/skins/default/templates/user_profile/user_stats.html b/askbot/skins/default/templates/user_profile/user_stats.html index 2551015c..d74ecf77 100644 --- a/askbot/skins/default/templates/user_profile/user_stats.html +++ b/askbot/skins/default/templates/user_profile/user_stats.html @@ -18,7 +18,7 @@ <div class="user-stats-table"> {% for answered_question in answered_questions %} <div class="answer-summary"> - <a title="{{answered_question.summary|collapse}}" + <a title="{{answered_question.summary|collapse|escape}}" href="{% url question answered_question.id %}{{answered_question.title|slugify}}#{{answered_question.answer_id}}"> <span class="answer-votes {% if answered_question.accepted %}answered-accepted{% endif %}" title="{% trans answer_score=answered_question.answer_score %}the answer has been voted for {{ answer_score }} times{% endtrans %} {% if answered_question.accepted %}{% trans %}this answer has been selected as correct{% endtrans %}{%endif%}"> @@ -27,7 +27,7 @@ </a> <div class="answer-link"> {% spaceless %} - <a href="{% url question answered_question.id %}{{answered_question.title|slugify}}#{{answered_question.answer_id}}">{{answered_question.title}}</a> + <a href="{% url question answered_question.id %}{{answered_question.title|slugify}}#{{answered_question.answer_id}}">{{answered_question.title|escape}}</a> {% endspaceless %} {% if answered_question.comment_count %} <span> @@ -119,7 +119,7 @@ <a title="{{ award.content_object.get_snippet()|collapse }}" href="{{ award.content_object.get_absolute_url() }}" - >{% if award.content_type == answer_type %}{% trans %}Answer to:{% endtrans %}{% endif %} {{ award.content_object.get_origin_post().title }}</a> + >{% if award.content_type == answer_type %}{% trans %}Answer to:{% endtrans %}{% endif %} {{ award.content_object.get_origin_post().title|escape }}</a> </li> {% endif %} {% endfor %} diff --git a/askbot/skins/default/templates/widgets/ask_form.html b/askbot/skins/default/templates/widgets/ask_form.html index 18196d93..17dc89f5 100644 --- a/askbot/skins/default/templates/widgets/ask_form.html +++ b/askbot/skins/default/templates/widgets/ask_form.html @@ -14,7 +14,7 @@ {% endif %} {% endif %} <input id="id_title" class="questionTitleInput" name="title" autocomplete="off" - value="{% if form.initial.title %}{{form.initial.title}}{% endif %}"/> + value="{% if form.initial.title %}{{form.initial.title|escape}}{% endif %}"/> <span class="form-error">{{ form.title.errors }}</span> </div> <div class="title-desc"> |