[interchange] Encode UI error message to eliminate XSS

Jon Jensen interchange-cvs at icdevgroup.org
Mon Jul 11 20:34:11 UTC 2011


commit 7587e188bcb8b5f0ba4e4715c23379fdb55e2a17
Author: Josh Lavin <josh at perusion.com>
Date:   Mon Jul 11 10:12:09 2011 -0500

    Encode UI error message to eliminate XSS

 dist/catalog_after.cfg |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)
---
diff --git a/dist/catalog_after.cfg b/dist/catalog_after.cfg
index 1967a26..c9515ce 100644
--- a/dist/catalog_after.cfg
+++ b/dist/catalog_after.cfg
@@ -73,7 +73,8 @@ sub {
 		$status = 0;
 	}
 	else {
-		$Scratch->{ui_error} = "Not authorized for file $CGI->{mv_nextpage}";
+		my $file = $Tag->filter('encode_entities', $CGI->{mv_nextpage});
+		$Scratch->{ui_error} = "Not authorized for file $file";
 		$CGI->{mv_nextpage} = '__UI_BASE__/error';
 		$status = 1;
 	}



More information about the interchange-cvs mailing list