fix potential XSS hole

git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4486 57a73879-2fb5-44c3-a270-3262357dd7e2

diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
index efbe689fff42351aa384489ae6a28ce1c43bf5fc..ed3009655df02c0b51ca28f5f1c2c4e431da4475 100644 (file)
--- a/roundup/cgi/client.py
+++ b/roundup/cgi/client.py
@@ -1069,9 +1069,9 @@ class Client:
                 result = result.replace('</body>', s)
             return result
         except templating.NoTemplate, message:
-            return '<strong>%s</strong>'%message
+            return '<strong>%s</strong>'%cgi.escape(str(message))
         except templating.Unauthorised, message:
-            raise Unauthorised(str(message))
+            raise Unauthorised(cgi.escape(str(message)))
         except:
             # everything else
             if self.instance.config.WEB_DEBUG:

diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
index 7867d3e71375c923effac397ba2eee35068c6ab2..271955e52df9612b442e5591f475a7fd92560a4f 100644 (file)
--- a/roundup/cgi/templating.py
+++ b/roundup/cgi/templating.py
@@ -115,9 +115,9 @@ def find_template(dir, name, view):
     if os.path.exists(src):
         return (src, generic)
 
-    raise NoTemplate, 'No template file exists for templating "%s" '\
+    raise NoTemplate('No template file exists for templating "%s" '
         'with template "%s" (neither "%s" nor "%s")'%(name, view,
-        filename, generic)
+        filename, generic))
 
 class Templates:
     templates = {}