deac/instiki
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

XSS Security Fix

Browse source 
There  was a XSS vulnerability in the handling of categories. Now they are escaped.
This commit is contained in:
Jacques Distler 2007-09-02 00:33:28 -05:00
parent 6fd6be8fea
commit 5ff1b7f6da
2 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
lib/chunks/category.rb
View file

@ -16,7 +16,7 @@ class Category < Chunk::Abstract
def initialize(match_data, content)
super(match_data, content)
@hidden = match_data[1]
@list = match_data[2].split(',').map { |c| c.strip }
@list = match_data[2].split(',').map { |c| html_escape(c.strip) }
@unmask_text = ''
if @hidden
@unmask_text = ''