]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/commitdiff
Fix XSS in openid selector. Thanks, Raghav Bisht.
authorJoey Hess <joeyh@joeyh.name>
Fri, 27 Mar 2015 16:17:39 +0000 (12:17 -0400)
committerSimon McVittie <smcv@debian.org>
Sun, 29 Mar 2015 21:29:06 +0000 (22:29 +0100)
Conflicts:
debian/changelog
doc/bugs/XSS_Alert...__33____33____33__.html

debian/changelog
templates/openid-selector.tmpl

index dccbb21c0baa84e66a1fd8c866c845f404e62579..2692de13a2460ae2d8167c71297093bc2ba1d472 100644 (file)
@@ -1,3 +1,10 @@
+ikiwiki (3.20141016.2) UNRELEASED; urgency=high
+
+  [ Joey Hess ]
+  * Fix XSS in openid selector. Thanks, Raghav Bisht.
+
+ -- Simon McVittie <smcv@debian.org>  Sun, 29 Mar 2015 22:28:15 +0100
+
 ikiwiki (3.20141016.1) unstable; urgency=medium
 
   * Backport selected commits for Debian 8:
 ikiwiki (3.20141016.1) unstable; urgency=medium
 
   * Backport selected commits for Debian 8:
index b6be2720c99e4593d8fede439675916817b37aa5..0fd833042db4d0e692873bfe4b8c5a9bf974a06d 100644 (file)
@@ -23,7 +23,7 @@ $(document).ready(function() {
                </div>
                <div id="openid_input_area">
                        <label for="openid_identifier" class="block">Enter your OpenID:</label>
                </div>
                <div id="openid_input_area">
                        <label for="openid_identifier" class="block">Enter your OpenID:</label>
-                       <input id="openid_identifier" name="openid_identifier" type="text" value="<TMPL_VAR OPENID_URL>"/>
+                       <input id="openid_identifier" name="openid_identifier" type="text" value="<TMPL_VAR ESCAPE=HTML OPENID_URL>"/>
                        <input id="openid_submit" type="submit" value="Login"/>
                </div>
                <TMPL_IF OPENID_ERROR>
                        <input id="openid_submit" type="submit" value="Login"/>
                </div>
                <TMPL_IF OPENID_ERROR>