deac/instiki
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Fix XSS vulnerabilities in chunk-handling

Browse source
This commit is contained in:
Jacques Distler 2007-09-23 19:30:39 +00:00
parent 36b86a9d41
commit a3d3f1c536
6 changed files with 55 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

5
lib/chunks/category.rb
View file

@ -16,7 +16,8 @@ class Category < Chunk::Abstract
def initialize(match_data, content)
super(match_data, content)
@hidden = match_data[1]
@list = match_data[2].split(',').map { |c| c.strip }
@list = match_data[2].split(',').map { |c| c.to_s.is_utf8? ? html_escape(c. strip) : nil }
@list.compact!
@unmask_text = ''
if @hidden
@unmask_text = ''
@ -28,6 +29,6 @@ def initialize(match_data, content)
# TODO move presentation of page metadata to controller/view
def url(category)
%{<a class="category_link" href="../list/?category=#{category}">#{category}</a>}
%{<a class="category_link" href="../list/#{category}">#{category}</a>}
end
end