[interchange-cvs] interchange - heins modified dist/standard/templates/components/results_buylist

interchange-cvs at icdevgroup.org interchange-cvs at icdevgroup.org
Fri Mar 27 15:37:53 UTC 2009


User:      heins
Date:      2009-03-27 15:37:53 GMT
Modified:  dist/standard/templates/components Tag: STABLE_5_6-branch
Modified:           results_buylist
Log:
* Fix cross site scripting error found by Josh Lavin of Perusion.

Revision  Changes    Path
No                   revision



No                   revision



1.4.4.1              interchange/dist/standard/templates/components/results_buylist


rev 1.4.4.1, prev_rev 1.4
Index: results_buylist
===================================================================
RCS file: /var/cvs/interchange/dist/standard/templates/components/results_buylist,v
retrieving revision 1.4
retrieving revision 1.4.4.1
diff -u -r1.4 -r1.4.4.1
--- results_buylist	4 Aug 2005 08:48:01 -0000	1.4
+++ results_buylist	27 Mar 2009 15:37:53 -0000	1.4.4.1
@@ -134,7 +134,7 @@
         Don't show the search string if it was empty, since it looks weird
         and the user will see the error below anyway.
 [/comment]
-[tmp matchstring][value-extended name=mv_searchspec joiner=" | "][/tmp]
+[tmp matchstring][value-extended name=mv_searchspec joiner=" | " filter=encode_entities][/tmp]
 [if scratch matchstring]
 [msg arg.0="[scratch matchstring]"]Sorry, no matches for <B>%s</B>.[/msg]
 [/if]
@@ -143,7 +143,7 @@
 <B>
 [L]Errors[/L]:
 <BR> 
-[value-extended name=mv_search_error joiner="<BR>"]
+[value-extended name=mv_search_error joiner="<BR>" filter=encode_entities]
 </B>
 [/if]
 







More information about the interchange-cvs mailing list