From a550c63f9c896ddba236d9136998a858c233b492 Mon Sep 17 00:00:00 2001 From: 8chan Date: Fri, 23 Jan 2015 02:29:55 -0800 Subject: [PATCH] SECURITY / XSS : Stop XSS in post subjects displayed in catalog git blame says czaks forgot an |e in catalog.html, this means that anyone posting a new thread with HTML in the subject field or name field can arbitrarily insert it into the page. Conflicts: templates/themes/catalog/catalog.html --- templates/themes/catalog/catalog.html | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/templates/themes/catalog/catalog.html b/templates/themes/catalog/catalog.html index 72cb8698..aef6c139 100644 --- a/templates/themes/catalog/catalog.html +++ b/templates/themes/catalog/catalog.html @@ -52,14 +52,22 @@ {% else %} + id="img-{{ post.id }}" data-subject="{% if post.subject %}{{ post.subject|e }}{% endif %}" data-name="{{ post.name|e }}" data-muhdifference="{{ post.muhdifference }}" class="{{post.board}} thread-image" title="{{post.bump|date('%b %d %H:%M')}}"> -

- - R: {{ post.reply_count }} / I: {{ post.image_count }}
- {{ post.body }} -
-

+
+ R: {{ post.reply_count }} / I: {{ post.image_count }} + {% if post.subject %} +

+ + {{ post.subject|e }} + +

+ {% else %} +
+ {% endif %} + + {{ post.body }} +
{% endfor %}