From cd27a074dbe66de033b3bbf8d25eafc44578729e Mon Sep 17 00:00:00 2001 From: Evgeny Fadeev Date: Wed, 11 Jan 2012 01:03:10 -0300 Subject: xss vulnerability fix and new release --- askbot/__init__.py | 2 +- askbot/doc/source/changelog.rst | 4 ++++ askbot/skins/common/templates/authopenid/signin.html | 4 ++-- askbot/skins/default/templates/close.html | 2 +- askbot/skins/default/templates/question.html | 2 +- askbot/skins/default/templates/question/question_card.html | 2 +- askbot/skins/default/templates/question/sidebar.html | 2 +- askbot/skins/default/templates/question_retag.html | 2 +- askbot/skins/default/templates/question_widget.html | 2 +- askbot/skins/default/templates/reopen.html | 2 +- askbot/skins/default/templates/revisions.html | 2 +- askbot/skins/default/templates/user_profile/user_recent.html | 2 +- askbot/skins/default/templates/user_profile/user_stats.html | 6 +++--- askbot/skins/default/templates/widgets/ask_form.html | 2 +- 14 files changed, 20 insertions(+), 16 deletions(-) diff --git a/askbot/__init__.py b/askbot/__init__.py index 7b12329c..eba7d205 100644 --- a/askbot/__init__.py +++ b/askbot/__init__.py @@ -9,7 +9,7 @@ import smtplib import sys import logging -VERSION = (0, 7, 37) +VERSION = (0, 7, 38) #keys are module names used by python imports, #values - the package qualifier to use for pip diff --git a/askbot/doc/source/changelog.rst b/askbot/doc/source/changelog.rst index ce18fe11..bd67fd48 100644 --- a/askbot/doc/source/changelog.rst +++ b/askbot/doc/source/changelog.rst @@ -1,6 +1,10 @@ Changes in Askbot ================= +0.7.38 (Jan 11, 2012) +--------------------- +* xss vulnerability fix, issue found by Radim Řehůřek (Evgeny) + 0.7.37 (Jan 8, 2012) -------------------- * added basic slugification treatment to question titles with diff --git a/askbot/skins/common/templates/authopenid/signin.html b/askbot/skins/common/templates/authopenid/signin.html index 4c894aa3..7fdbe203 100644 --- a/askbot/skins/common/templates/authopenid/signin.html +++ b/askbot/skins/common/templates/authopenid/signin.html @@ -11,14 +11,14 @@ {% endif %} {% if answer %}
- {% trans title=answer.question.title, summary=answer.summary %} + {% trans title=answer.question.title|escape, summary=answer.summary|escape %} Your answer to {{title}} {{summary}} will be posted once you log in {% endtrans %}
{% endif %} {% if question %}
- {% trans title=question.title, summary=question.summary %}Your question + {% trans title=question.title|escape, summary=question.summary|escape %}Your question {{title}} {{summary}} will be posted once you log in {% endtrans %}
diff --git a/askbot/skins/default/templates/close.html b/askbot/skins/default/templates/close.html index d8160865..bac2b3ee 100644 --- a/askbot/skins/default/templates/close.html +++ b/askbot/skins/default/templates/close.html @@ -4,7 +4,7 @@ {% block content %}

{% trans %}Close question{% endtrans %}

{% trans %}Close the question{% endtrans %}: - {{ question.get_question_title() }} + {{ question.get_question_title()|escape }}

{% csrf_token %}

diff --git a/askbot/skins/default/templates/question.html b/askbot/skins/default/templates/question.html index 7dc85d84..bfabd634 100644 --- a/askbot/skins/default/templates/question.html +++ b/askbot/skins/default/templates/question.html @@ -1,6 +1,6 @@ {% extends "two_column_body.html" %} -{% block title %}{% spaceless %}{{ question.get_question_title() }}{% endspaceless %}{% endblock %} +{% block title %}{% spaceless %}{{ question.get_question_title()|escape }}{% endspaceless %}{% endblock %} {% block meta_description %} {% endblock %} diff --git a/askbot/skins/default/templates/question/question_card.html b/askbot/skins/default/templates/question/question_card.html index 87f92209..3691a224 100644 --- a/askbot/skins/default/templates/question/question_card.html +++ b/askbot/skins/default/templates/question/question_card.html @@ -4,7 +4,7 @@

-

{{ question.get_question_title() }}

+

{{ question.get_question_title()|escape }}

{% include "question/question_tags.html" %}
diff --git a/askbot/skins/default/templates/question/sidebar.html b/askbot/skins/default/templates/question/sidebar.html index 918c7662..f5c3273d 100644 --- a/askbot/skins/default/templates/question/sidebar.html +++ b/askbot/skins/default/templates/question/sidebar.html @@ -64,7 +64,7 @@
{% for question in similar_questions.data() %}

- {{ question.get_question_title() }} + {{ question.get_question_title()|escape }}

{% endfor %}
diff --git a/askbot/skins/default/templates/question_retag.html b/askbot/skins/default/templates/question_retag.html index 883dc3aa..e5632820 100644 --- a/askbot/skins/default/templates/question_retag.html +++ b/askbot/skins/default/templates/question_retag.html @@ -5,7 +5,7 @@

{% trans %}Change tags{% endtrans %} [{% trans %}back{% endtrans %}]

{% csrf_token %}

- {{ question.get_question_title() }} + {{ question.get_question_title()|escape }}

{{ question.html }} diff --git a/askbot/skins/default/templates/question_widget.html b/askbot/skins/default/templates/question_widget.html index bb883c71..89e56898 100644 --- a/askbot/skins/default/templates/question_widget.html +++ b/askbot/skins/default/templates/question_widget.html @@ -12,7 +12,7 @@
diff --git a/askbot/skins/default/templates/reopen.html b/askbot/skins/default/templates/reopen.html index d68e8bdc..b287da6f 100644 --- a/askbot/skins/default/templates/reopen.html +++ b/askbot/skins/default/templates/reopen.html @@ -5,7 +5,7 @@

{% trans %}Reopen question{% endtrans %}

{% trans %}Title{% endtrans %}: - {{ question.get_question_title() }} + {{ question.get_question_title()|escape }}

{% trans %}This question has been closed by diff --git a/askbot/skins/default/templates/revisions.html b/askbot/skins/default/templates/revisions.html index 7fb985e2..f86a37ff 100644 --- a/askbot/skins/default/templates/revisions.html +++ b/askbot/skins/default/templates/revisions.html @@ -30,7 +30,7 @@ {% if revision.summary %}

- {{ revision.summary }} + {{ revision.summary|escape }}
{% endif %} {% if request.user|can_edit_post(post) %} diff --git a/askbot/skins/default/templates/user_profile/user_recent.html b/askbot/skins/default/templates/user_profile/user_recent.html index cbd59202..502af7b6 100644 --- a/askbot/skins/default/templates/user_profile/user_recent.html +++ b/askbot/skins/default/templates/user_profile/user_recent.html @@ -17,7 +17,7 @@ {% if act.related_object_type == 'question' %}{# question #} {% for question in questions %}{# could also create a new dict #} {% if question.question_id == act.obj %} - ({% trans %}source{% endtrans %}) {% endif %} {% endfor %} diff --git a/askbot/skins/default/templates/user_profile/user_stats.html b/askbot/skins/default/templates/user_profile/user_stats.html index 2551015c..d74ecf77 100644 --- a/askbot/skins/default/templates/user_profile/user_stats.html +++ b/askbot/skins/default/templates/user_profile/user_stats.html @@ -18,7 +18,7 @@
{% for answered_question in answered_questions %}
- @@ -27,7 +27,7 @@
{% spaceless %} - {{answered_question.title}} + {{answered_question.title|escape}} {% endspaceless %} {% if answered_question.comment_count %} @@ -119,7 +119,7 @@ {% if award.content_type == answer_type %}{% trans %}Answer to:{% endtrans %}{% endif %} {{ award.content_object.get_origin_post().title }} + >{% if award.content_type == answer_type %}{% trans %}Answer to:{% endtrans %}{% endif %} {{ award.content_object.get_origin_post().title|escape }} {% endif %} {% endfor %} diff --git a/askbot/skins/default/templates/widgets/ask_form.html b/askbot/skins/default/templates/widgets/ask_form.html index 18196d93..17dc89f5 100644 --- a/askbot/skins/default/templates/widgets/ask_form.html +++ b/askbot/skins/default/templates/widgets/ask_form.html @@ -14,7 +14,7 @@ {% endif %} {% endif %} + value="{% if form.initial.title %}{{form.initial.title|escape}}{% endif %}"/> {{ form.title.errors }}
-- cgit v1.2.3-1-g7c22