From: richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2>
Date: Tue, 10 Jun 2003 22:55:30 +0000 (+0000)
Subject: fix cross-site-scripting bug
X-Git-Url: https://git.tokkee.org/?p=roundup.git;a=commitdiff_plain;h=299fdad05fd9d75083715e0ad137f999808bcc21

fix cross-site-scripting bug


git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/trunk@1725 57a73879-2fb5-44c3-a270-3262357dd7e2
---

diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
index c08ec82..03aa4ab 100644
--- a/roundup/cgi/client.py
+++ b/roundup/cgi/client.py
@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.118 2003-06-09 23:17:23 richard Exp $
+# $Id: client.py,v 1.119 2003-06-10 22:55:30 richard Exp $
 
 __doc__ = """
 WWW request handler (also used in the stand-alone server).
@@ -68,6 +68,13 @@ def initialiseSecurity(security):
         description="User may manipulate user Roles through the web")
     security.addPermissionToRole('Admin', p)
 
+def clean_message(match, ok={'a':1,'i':1,'b':1,'br':1}):
+    ''' Strip all non <a>,<i>,<b> and <br> tags from a string
+    '''
+    if ok.has_key(match.group(2)):
+        return match.group(1)
+    return '&lt;%s&gt;'%match.group(2)
+
 class Client:
     ''' Instantiate to handle one CGI request.
 
@@ -341,7 +348,8 @@ class Client:
         # reopen the database as the correct user
         self.opendb(self.user)
 
-    def determine_context(self, dre=re.compile(r'([^\d]+)(\d+)')):
+    def determine_context(self, dre=re.compile(r'([^\d]+)(\d+)'),
+            mc=re.compile(r'(</?(.*?)>)')):
         ''' Determine the context of this page from the URL:
 
             The URL path after the instance identifier is examined. The path
@@ -389,8 +397,10 @@ class Client:
                 template_override = self.form[key].value
             elif self.FV_OK_MESSAGE.match(key):
                 ok_message = self.form[key].value
+                ok_message = mc.sub(clean_message, ok_message)
             elif self.FV_ERROR_MESSAGE.match(key):
                 error_message = self.form[key].value
+                error_message = mc.sub(clean_message, error_message)
 
         # determine the classname and possibly nodeid
         path = self.path.split('/')
diff --git a/templates/classic/html/_generic.help.html b/templates/classic/html/_generic.help.html
index 803c171..433df78 100644
--- a/templates/classic/html/_generic.help.html
+++ b/templates/classic/html/_generic.help.html
@@ -49,10 +49,10 @@
        </tr>
        <tr>
            <th>&nbsp;<b>x</b></th>
-           <th tal:repeat="prop props" tal:content="prop"></th>
+           <th tal:repeat="prop props" tal:content="structure prop"></th>
        </tr>
      </table>
 
  </form>
  </body>
-</html>
\ No newline at end of file
+</html>