From a676a86b6b7a5737d4da4f59f71e037406f88d29 Mon Sep 17 00:00:00 2001 From: Evgeny Fadeev Date: Tue, 7 May 2013 23:59:42 -0400 Subject: fixed some xss issues --- askbot/templates/users.html | 2 +- askbot/utils/functions.py | 3 ++- askbot/views/commands.py | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/askbot/templates/users.html b/askbot/templates/users.html index 5ab4c28a..14e07f7f 100644 --- a/askbot/templates/users.html +++ b/askbot/templates/users.html @@ -63,7 +63,7 @@
{% if search_query %} -

{% trans %}users matching query {{search_query}}:{% endtrans %}

+

{% trans search_query=search_query|escape %}users matching query {{search_query}}:{% endtrans %}

{% endif %} {% if not users.object_list %}

{% trans %}Nothing found.{% endtrans %}

diff --git a/askbot/utils/functions.py b/askbot/utils/functions.py index 592dcf43..ba9df877 100644 --- a/askbot/utils/functions.py +++ b/askbot/utils/functions.py @@ -3,6 +3,7 @@ import random import datetime from django.utils.translation import ugettext as _ from django.utils.translation import ungettext +from django.utils.html import escape def get_from_dict_or_object(source, key): try: @@ -158,7 +159,7 @@ def setup_paginator(context): next_page_number = None return { - "base_url": context["base_url"], + "base_url": escape(context["base_url"]), "is_paginated": context["is_paginated"], "previous": previous_page_number, "has_previous": page_object.has_previous(), diff --git a/askbot/views/commands.py b/askbot/views/commands.py index 207a0615..dee8d1e4 100644 --- a/askbot/views/commands.py +++ b/askbot/views/commands.py @@ -699,7 +699,7 @@ def subscribe_for_tags(request): else: message = _( 'Tag subscription was canceled (undo).' - ) % {'url': request.path + '?tags=' + request.REQUEST['tags']} + ) % {'url': escape(request.path) + '?tags=' + request.REQUEST['tags']} request.user.message_set.create(message = message) return HttpResponseRedirect(reverse('index')) else: -- cgit v1.2.3-1-g7c22