Fix Two XSS Vulnerabilities
Unescaped page names (in 'edit' an 'new' views). Unsanitized HTTP_CLIENT_IP header.
This commit is contained in:
Jacques Distler
parent
ab63a21ccd
commit
503f956084
4 changed files with 5 additions and 4 deletions
|
|
@ -77,7 +77,7 @@ class Page < ActiveRecord::Base
|
|||
|
||||
# Returns the original wiki-word name as separate words, so "MyPage" becomes "My Page".
|
||||
def plain_name
|
||||
web.brackets_only? ? name : WikiWords.separate(name)
|
||||
web.brackets_only? ? CGI.escapeHTML(name) : CGI.escapeHTML(WikiWords.separate(name))
|
||||
end
|
||||
|
||||
LOCKING_PERIOD = 30.minutes
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue