Merge pull request #70 from Barrucadu/title-injection

Fix unsanitised text vulnerability in post/fileinfo.html
2014-07-05 23:01:37 +02:00 · 2014-07-05 23:01:37 +02:00 · fcf3863d47
commit fcf3863d47
parent 9df6ca8ddd 8aff83bdd4
1 changed files with 1 additions and 1 deletions
--- a/templates/post/fileinfo.html
+++ b/templates/post/fileinfo.html
@ -22,7 +22,7 @@
 			{% if config.show_filename and file.filename %}
 				, 
 				{% if file.filename|length > config.max_filename_display %}
-					<span class="postfilename" title="{{ file.filename|e }}">{{ file.filename|truncate_filename(config.max_filename_display)|bidi_cleanup }}</span>
+					<span class="postfilename" title="{{ file.filename|e|bidi_cleanup }}">{{ file.filename|truncate_filename(config.max_filename_display)|bidi_cleanup }}</span>
 				{% else %}
 					<span class="postfilename">{{ file.filename|e|bidi_cleanup }}</span>
 				{% endif %}