From: richard Date: Tue, 24 Jun 2003 03:30:40 +0000 (+0000) Subject: fix hackish message escaping (sf bug 757128) X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=6f3f2686e59ef478a2a7ee89425443d337b36609;p=roundup.git fix hackish message escaping (sf bug 757128) git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/trunk@1752 57a73879-2fb5-44c3-a270-3262357dd7e2 --- diff --git a/CHANGES.txt b/CHANGES.txt index 30690e3..247b7e4 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -6,6 +6,7 @@ are given with the most recent entry first. - handle deprecation of FCNTL in python2.2+ (sf bug 756756) - handle missing Subject: line (sf bug 755331) - handle New User creation (sf bug 754510) +- fix hackish message escaping (sf bug 757128) 2003-06-10 0.6.0b3 diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py index 03aa4ab..1394120 100644 --- a/roundup/cgi/client.py +++ b/roundup/cgi/client.py @@ -1,4 +1,4 @@ -# $Id: client.py,v 1.119 2003-06-10 22:55:30 richard Exp $ +# $Id: client.py,v 1.120 2003-06-24 03:30:30 richard Exp $ __doc__ = """ WWW request handler (also used in the stand-alone server). @@ -68,10 +68,16 @@ def initialiseSecurity(security): description="User may manipulate user Roles through the web") security.addPermissionToRole('Admin', p) -def clean_message(match, ok={'a':1,'i':1,'b':1,'br':1}): +# used to clean messages passed through CGI variables - HTML-escape any tag +# that isn't , , and
(including XHTML variants) so +# that people can't pass through nasties like '), + '<script>x</script>') + self.assertEqual(cm(''), + '<iframe>x</iframe>') + class FormTestCase(unittest.TestCase): def setUp(self): self.dirname = '_test_cgi_form' @@ -502,7 +522,9 @@ class FormTestCase(unittest.TestCase): [('issue', None, 'files', [('file', '-1')])])) def suite(): - l = [unittest.makeSuite(FormTestCase), + l = [ + unittest.makeSuite(FormTestCase), + unittest.makeSuite(MessageTestCase), ] return unittest.TestSuite(l)