]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/commitdiff
projects / git.ikiwiki.info.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6d78488)
Fix XSS in openid selector. Thanks, Raghav Bisht.
authorJoey Hess <joeyh@joeyh.name>
Fri, 27 Mar 2015 16:17:39 +0000 (12:17 -0400)
committerSimon McVittie <smcv@debian.org>
Mon, 6 Apr 2015 19:34:46 +0000 (20:34 +0100)
Conflicts:
debian/changelog
doc/bugs/XSS_Alert...__33____33____33__.html

debian/changelog patch | blob | history
templates/openid-selector.tmpl patch | blob | history

diff --git a/debian/changelog b/debian/changelog
index 720ddb1e0bfb1c83c8fb23233e63cf40db54af95..1897414c460ce30b0f2db9eb29c6bdc86ea6bde4 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ikiwiki (3.20141016.2) UNRELEASED; urgency=high
+
+  [ Joey Hess ]
+  * Fix XSS in openid selector. Thanks, Raghav Bisht.
+
+ -- Simon McVittie <smcv@debian.org>  Sun, 29 Mar 2015 22:28:15 +0100
+
 ikiwiki (3.20120629.1) wheezy; urgency=medium
 
   Backport blogspam plugin from experimental, because the version in
diff --git a/templates/openid-selector.tmpl b/templates/openid-selector.tmpl
index b6be2720c99e4593d8fede439675916817b37aa5..0fd833042db4d0e692873bfe4b8c5a9bf974a06d 100644 (file)
--- a/templates/openid-selector.tmpl
+++ b/templates/openid-selector.tmpl
@@ -23,7 +23,7 @@ $(document).ready(function() {
                </div>
                <div id="openid_input_area">
                        <label for="openid_identifier" class="block">Enter your OpenID:</label>
-                       <input id="openid_identifier" name="openid_identifier" type="text" value="<TMPL_VAR OPENID_URL>"/>
+                       <input id="openid_identifier" name="openid_identifier" type="text" value="<TMPL_VAR ESCAPE=HTML OPENID_URL>"/>
                        <input id="openid_submit" type="submit" value="Login"/>
                </div>
                <TMPL_IF OPENID_ERROR>
Unnamed repository; edit this file 'description' to name the repository.