Skip to content
Permalink
Browse files Browse the repository at this point in the history
* Fixes escaping of comments in the new backend pane to prevent
      XSS. Thanks to Steffen Röemann for reporting!
  • Loading branch information
fe-hicking committed Dec 23, 2014
1 parent 91412bf commit 36cde30
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 3 deletions.
6 changes: 6 additions & 0 deletions docs/NEWS
@@ -1,5 +1,11 @@
#

Version 2.0-rc2 (December 23rd, 2014)
------------------------------------------------------------------------

* Fixes escaping of comments in the new backend pane to prevent
XSS. Thanks to Steffen Röemann for reporting!

Version 2.0-rc1 (includes beta4/5/6) (December 19th, 2014)
------------------------------------------------------------------------

Expand Down
2 changes: 1 addition & 1 deletion serendipity_config.inc.php
Expand Up @@ -44,7 +44,7 @@
}

// The version string
$serendipity['version'] = '2.0-rc1';
$serendipity['version'] = '2.0-rc2';


// Setting this to 'false' will enable debugging output. All alpha/beta/cvs snapshot versions will emit debug information by default. To increase the debug level (to enable Smarty debugging), set this flag to 'debug'.
Expand Down
4 changes: 2 additions & 2 deletions templates/2k11/admin/overview.inc.tpl
Expand Up @@ -39,9 +39,9 @@
{if is_array($comments)}
{foreach $comments as $comment}
<li class="clearfix"><b>{$comment.author|escape|truncate:30:"&hellip;"} {$CONST.IN} <a href="{$comment.entrylink}" title="Comment to {$comment.title}">#{$comment.id}</a></b>
<div class="comment_summary">{$comment.body|truncate:100:"&hellip;"}</div>
<div class="comment_summary">{$comment.body|escape|truncate:100:"&hellip;"}</div>

<div id="c{$comment.id}_full" class="comment_full additional_info">{$comment.fullBody}</div>
<div id="c{$comment.id}_full" class="comment_full additional_info">{$comment.fullBody|escape}</div>

<ul class="plainList actions">
<li><a class="button_link" href="?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=edit&amp;serendipity[id]={$comment.id}&amp;serendipity[entry_id]={$comment.entry_id}&amp;{$urltoken}" title="{$CONST.EDIT}"><span class="icon-edit"></span><span class="visuallyhidden"> {$CONST.EDIT}</span></a></li>
Expand Down

0 comments on commit 36cde30

Please sign in to comment.