SECURITY / XSS : Stop XSS in post subjects displayed in catalog
git blame says czaks forgot an |e in catalog.html, this means that anyone posting a new thread with HTML in the subject field or name field can arbitrarily insert it into the page. Conflicts: templates/themes/catalog/catalog.html
This commit is contained in:
parent
f4422e597b
commit
a550c63f9c
@ -52,14 +52,22 @@
|
||||
{% else %}
|
||||
<img src="{{post.file}}"
|
||||
{% endif %}
|
||||
id="img-{{ post.id }}" data-subject="{% if post.subject %}{{ post.subject }}{% endif %}" data-name="{{ post.name }}" data-muhdifference="{{ post.muhdifference }}" data-last-reply="{% if post.last_reply %}{{ post.last_reply }}{% endif %}" data-last-subject="{% if post.last_reply_subject %}{{ post.last_reply_subject }}{% endif %}" data-last-name="{% if post.last_reply %}{{ post.last_reply_name }}{% endif %}" data-last-difference="{% if post.last_reply %}{{ post.last_reply_difference }}{% endif %}" class="{{post.board}} thread-image" title="{{post.bump|date('%b %d %H:%M')}}">
|
||||
id="img-{{ post.id }}" data-subject="{% if post.subject %}{{ post.subject|e }}{% endif %}" data-name="{{ post.name|e }}" data-muhdifference="{{ post.muhdifference }}" class="{{post.board}} thread-image" title="{{post.bump|date('%b %d %H:%M')}}">
|
||||
</a>
|
||||
<p>
|
||||
<span class="replies">
|
||||
<strong>R: {{ post.reply_count }} / I: {{ post.image_count }}</strong><br/>
|
||||
{{ post.body }}
|
||||
</span>
|
||||
</p>
|
||||
<div class="replies">
|
||||
<strong>R: {{ post.reply_count }} / I: {{ post.image_count }}</strong>
|
||||
{% if post.subject %}
|
||||
<p class="intro">
|
||||
<span class="subject">
|
||||
{{ post.subject|e }}
|
||||
</span>
|
||||
</p>
|
||||
{% else %}
|
||||
<br />
|
||||
{% endif %}
|
||||
|
||||
{{ post.body }}
|
||||
</div>
|
||||
</div>
|
||||
</li>
|
||||
{% endfor %}
|
||||
|
Loading…
Reference in New Issue
Block a user