From: richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2>
Date: Thu, 1 Jul 2010 01:41:54 +0000 (+0000)
Subject: fix potential XSS hole
X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=4dad0860c089760479c20d13bbc70ae87cfefc38;p=roundup.git

fix potential XSS hole

git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4486 57a73879-2fb5-44c3-a270-3262357dd7e2
---

diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
index efbe689..ed30096 100644
--- a/roundup/cgi/client.py
+++ b/roundup/cgi/client.py
@@ -1069,9 +1069,9 @@ class Client:
                 result = result.replace('</body>', s)
             return result
         except templating.NoTemplate, message:
-            return '<strong>%s</strong>'%message
+            return '<strong>%s</strong>'%cgi.escape(str(message))
         except templating.Unauthorised, message:
-            raise Unauthorised(str(message))
+            raise Unauthorised(cgi.escape(str(message)))
         except:
             # everything else
             if self.instance.config.WEB_DEBUG:
diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
index 7867d3e..271955e 100644
--- a/roundup/cgi/templating.py
+++ b/roundup/cgi/templating.py
@@ -115,9 +115,9 @@ def find_template(dir, name, view):
     if os.path.exists(src):
         return (src, generic)
 
-    raise NoTemplate, 'No template file exists for templating "%s" '\
+    raise NoTemplate('No template file exists for templating "%s" '
         'with template "%s" (neither "%s" nor "%s")'%(name, view,
-        filename, generic)
+        filename, generic))
 
 class Templates:
     templates = {}