Permalink
Browse files

remove XSS attack in installing plugin, thanks Nerendra Bhati

  • Loading branch information...
mdipierro committed May 4, 2016
1 parent 1e74c33 commit 51c3b633fe7ad647bc3013e899c1e3a910362dd1
Showing with 3 additions and 0 deletions.
  1. +3 −0 applications/admin/controllers/default.py
@@ -1954,6 +1954,9 @@ def install_plugin():
plugin = request.vars.plugin
if not (source and app):
raise HTTP(500, T("Invalid request"))
# make sure no XSS attacks in source
if not source.lower().split('://')[0] in ('http','https'):
raise HTTP(500, T("Invalid request"))
form = SQLFORM.factory()
result = None
if form.process().accepted:

0 comments on commit 51c3b63

Please sign in to comment.