Fixes an XSS in bunny1.

ccheever · Apr 30, 2012 · f078b60 · f078b60
1 parent d72dbca
commit f078b60
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/bunny1.py b/src/bunny1.py
@@ -170,7 +170,7 @@ def do_command(self, raw, a=(), k={}):
             try:
                 return self.do_command(arg)
             except HTTPRedirect, redir:
-                url = redir.urls[0]
+                url = escape(redir.urls[0])
                 return "<code><b>bunny1</b> DEBUG: redirect to <a href='%s'>%s</a></code>" % (url, url)
 
         # we don't want people calling things like __str__, etc.