[interchange] Encode UI error message to eliminate XSS
Jon Jensen
interchange-cvs at icdevgroup.org
Mon Jul 11 20:34:11 UTC 2011
commit 7587e188bcb8b5f0ba4e4715c23379fdb55e2a17
Author: Josh Lavin <josh at perusion.com>
Date: Mon Jul 11 10:12:09 2011 -0500
Encode UI error message to eliminate XSS
dist/catalog_after.cfg | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
---
diff --git a/dist/catalog_after.cfg b/dist/catalog_after.cfg
index 1967a26..c9515ce 100644
--- a/dist/catalog_after.cfg
+++ b/dist/catalog_after.cfg
@@ -73,7 +73,8 @@ sub {
$status = 0;
}
else {
- $Scratch->{ui_error} = "Not authorized for file $CGI->{mv_nextpage}";
+ my $file = $Tag->filter('encode_entities', $CGI->{mv_nextpage});
+ $Scratch->{ui_error} = "Not authorized for file $file";
$CGI->{mv_nextpage} = '__UI_BASE__/error';
$status = 1;
}
More information about the interchange-cvs
mailing list