Fix XSS in openid selector. Thanks, Raghav Bisht.

diff --git a/debian/changelog b/debian/changelog
index 80dec8897d6f2d85bdffdc000c123b165fb7fec3..3003b4b3aa4a13a7bbfc779e0c7bef25f559ead2 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -13,6 +13,9 @@ ikiwiki (3.20150108) UNRELEASED; urgency=medium
   * t/inline.t: accept translations of "Add a new post titled:"
     (Closes: #779365)
 
+  [ Joey Hess ]
+  * Fix XSS in openid selector. Thanks, Raghav Bisht.
+
  -- Joey Hess <id@joeyh.name>  Sat, 24 Jan 2015 23:59:20 -0400
 
 ikiwiki (3.20150107) experimental; urgency=medium

diff --git a/doc/bugs/XSS_Alert...__33____33____33__.html b/doc/bugs/XSS_Alert...__33____33____33__.html
index 24a1a3af0eac0b57f87110a2b1c4af958054890d..436e3faaec1fed04fa5d37e04bd14419db1168d8 100644 (file)
--- a/doc/bugs/XSS_Alert...__33____33____33__.html
+++ b/doc/bugs/XSS_Alert...__33____33____33__.html
@@ -23,3 +23,7 @@ Thank You...!!
 Your Faithfully,
 Raghav Bisht
 raghav007bisht@gmail.com
+
+> Thanks Raghav for reporting this issue. I've fixed it in ikiwiki.
+> 
+> --[[Joey]] 

diff --git a/templates/openid-selector.tmpl b/templates/openid-selector.tmpl
index b6be2720c99e4593d8fede439675916817b37aa5..0fd833042db4d0e692873bfe4b8c5a9bf974a06d 100644 (file)
--- a/templates/openid-selector.tmpl
+++ b/templates/openid-selector.tmpl
@@ -23,7 +23,7 @@ $(document).ready(function() {
                </div>
                <div id="openid_input_area">
                        <label for="openid_identifier" class="block">Enter your OpenID:</label>
-                       <input id="openid_identifier" name="openid_identifier" type="text" value="<TMPL_VAR OPENID_URL>"/>
+                       <input id="openid_identifier" name="openid_identifier" type="text" value="<TMPL_VAR ESCAPE=HTML OPENID_URL>"/>
                        <input id="openid_submit" type="submit" value="Login"/>
                </div>
                <TMPL_IF OPENID_ERROR>