Skip to content

Commit

Permalink
fix(XSS): escape event.wikiPage to sanitize XSS vector
Browse files Browse the repository at this point in the history
  • Loading branch information
@Hetti
Hetti committed Sep 23, 2023
1 parent e07ab15 commit 56630ae
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion cal/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ def formatday(self, day, weekday):
body.append('<li class="event">')
if self.admin:
body.append(u'<a href="%s" class="edit" title="edit">✏️</a>' % event.get_absolute_url())
body.append('<a href="/wiki/%s">' % event.wikiPage)
body.append('<a href="/wiki/%s">' % esc(event.wikiPage))
body.append('<span class="event-time">' + event.startDate.strftime('%H:%M') + '</span>')
body.append('<span class="event-name">' + esc(event.name) + '</span>')
body.append('<span class="event-location">' + esc(event.location) + '</span>')
Expand Down

0 comments on commit 56630ae

Please sign in to comment.