SECURITY / XSS : Stop XSS in post subjects displayed in catalog
git blame says czaks forgot an |e in catalog.html, this means that anyone posting a new thread with HTML in the subject field or name field can arbitrarily insert it into the page. Conflicts: templates/themes/catalog/catalog.html
This commit is contained in:
8chan
parent
f4422e597b
commit
a550c63f9c
@ -52,14 +52,22 @@
|
|||||||
{% else %}
|
{% else %}
|
||||||
<img src="{{post.file}}"
|
<img src="{{post.file}}"
|
||||||
{% endif %}
|
{% endif %}
|
||||||
id="img-{{ post.id }}" data-subject="{% if post.subject %}{{ post.subject }}{% endif %}" data-name="{{ post.name }}" data-muhdifference="{{ post.muhdifference }}" data-last-reply="{% if post.last_reply %}{{ post.last_reply }}{% endif %}" data-last-subject="{% if post.last_reply_subject %}{{ post.last_reply_subject }}{% endif %}" data-last-name="{% if post.last_reply %}{{ post.last_reply_name }}{% endif %}" data-last-difference="{% if post.last_reply %}{{ post.last_reply_difference }}{% endif %}" class="{{post.board}} thread-image" title="{{post.bump|date('%b %d %H:%M')}}">
|
id="img-{{ post.id }}" data-subject="{% if post.subject %}{{ post.subject|e }}{% endif %}" data-name="{{ post.name|e }}" data-muhdifference="{{ post.muhdifference }}" class="{{post.board}} thread-image" title="{{post.bump|date('%b %d %H:%M')}}">
|
||||||
</a>
|
</a>
|
||||||
<p>
|
<div class="replies">
|
||||||
<span class="replies">
|
<strong>R: {{ post.reply_count }} / I: {{ post.image_count }}</strong>
|
||||||
<strong>R: {{ post.reply_count }} / I: {{ post.image_count }}</strong><br/>
|
{% if post.subject %}
|
||||||
{{ post.body }}
|
<p class="intro">
|
||||||
</span>
|
<span class="subject">
|
||||||
</p>
|
{{ post.subject|e }}
|
||||||
|
</span>
|
||||||
|
</p>
|
||||||
|
{% else %}
|
||||||
|
<br />
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{{ post.body }}
|
||||||
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</li>
|
</li>
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user