Skip to content

Commit a676a86

Browse files
committed
fixed some xss issues
1 parent 8ac806f commit a676a86

File tree

3 files changed

+4
-3
lines changed

3 files changed

+4
-3
lines changed

Diff for: askbot/templates/users.html

+1-1
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ <h1 class="section-title">
6363
<div class="clearfix"></div>
6464
</div>
6565
{% if search_query %}
66-
<p>{% trans %}users matching query {{search_query}}:{% endtrans %}</p>
66+
<p>{% trans search_query=search_query|escape %}users matching query {{search_query}}:{% endtrans %}</p>
6767
{% endif %}
6868
{% if not users.object_list %}
6969
<p><span>{% trans %}Nothing found.{% endtrans %}</span></p>

Diff for: askbot/utils/functions.py

+2-1
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
import datetime
44
from django.utils.translation import ugettext as _
55
from django.utils.translation import ungettext
6+
from django.utils.html import escape
67

78
def get_from_dict_or_object(source, key):
89
try:
@@ -158,7 +159,7 @@ def setup_paginator(context):
158159
next_page_number = None
159160

160161
return {
161-
"base_url": context["base_url"],
162+
"base_url": escape(context["base_url"]),
162163
"is_paginated": context["is_paginated"],
163164
"previous": previous_page_number,
164165
"has_previous": page_object.has_previous(),

Diff for: askbot/views/commands.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -699,7 +699,7 @@ def subscribe_for_tags(request):
699699
else:
700700
message = _(
701701
'Tag subscription was canceled (<a href="%(url)s">undo</a>).'
702-
) % {'url': request.path + '?tags=' + request.REQUEST['tags']}
702+
) % {'url': escape(request.path) + '?tags=' + request.REQUEST['tags']}
703703
request.user.message_set.create(message = message)
704704
return HttpResponseRedirect(reverse('index'))
705705
else:

0 commit comments

Comments
 (0)