Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

XSS was still possible:

`admin/filebrowser/browse/?"</script><script>alert("XSS")</script>`

Some review of whether or not the quoted strings breaks functionality is needed.
  • Loading branch information...
commit 0d06a3d002896d97a8136542df06583e57ccde96 1 parent 126a09a
Sigurd Fosseng authored March 24, 2012

Showing 1 changed file with 1 addition and 3 deletions. Show diff stats Hide diff stats

  1. 4  filebrowser/templatetags/fb_tags.py
4  filebrowser/templatetags/fb_tags.py
@@ -2,8 +2,6 @@
2 2
 
3 3
 # django imports
4 4
 from django import template
5  
-from django.utils.encoding import smart_unicode
6  
-from django.utils.safestring import mark_safe 
7 5
 from django.utils.http import urlquote
8 6
 
9 7
 # filebrowser imports
@@ -63,7 +61,7 @@ def get_query_string(p, new_params=None, remove=None):
63 61
             del p[k]
64 62
         elif v is not None:
65 63
             p[k] = v
66  
-    return mark_safe('?' + '&'.join([u'%s=%s' % (k, urlquote(v)) for k, v in p.items()]).replace(' ', '%20')) 
  64
+    return '?' + '&'.join([u'%s=%s' % (urlquote(k), urlquote(v)) for k, v in p.items()])
67 65
 
68 66
 
69 67
 def string_to_dict(string):

0 notes on commit 0d06a3d

Please sign in to comment.
Something went wrong with that request. Please try again.