diff options
| -rw-r--r-- | debian/changelog | 3 | ||||
| -rw-r--r-- | doc/bugs/XSS_Alert...__33____33____33__.html | 4 | ||||
| -rw-r--r-- | templates/openid-selector.tmpl | 2 |
3 files changed, 8 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index 80dec8897..3003b4b3a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -13,6 +13,9 @@ ikiwiki (3.20150108) UNRELEASED; urgency=medium * t/inline.t: accept translations of "Add a new post titled:" (Closes: #779365) + [ Joey Hess ] + * Fix XSS in openid selector. Thanks, Raghav Bisht. + -- Joey Hess <id@joeyh.name> Sat, 24 Jan 2015 23:59:20 -0400 ikiwiki (3.20150107) experimental; urgency=medium diff --git a/doc/bugs/XSS_Alert...__33____33____33__.html b/doc/bugs/XSS_Alert...__33____33____33__.html index 24a1a3af0..436e3faae 100644 --- a/doc/bugs/XSS_Alert...__33____33____33__.html +++ b/doc/bugs/XSS_Alert...__33____33____33__.html @@ -23,3 +23,7 @@ Thank You...!! Your Faithfully, Raghav Bisht raghav007bisht@gmail.com + +> Thanks Raghav for reporting this issue. I've fixed it in ikiwiki. +> +> --[[Joey]] diff --git a/templates/openid-selector.tmpl b/templates/openid-selector.tmpl index b6be2720c..0fd833042 100644 --- a/templates/openid-selector.tmpl +++ b/templates/openid-selector.tmpl @@ -23,7 +23,7 @@ $(document).ready(function() { </div> <div id="openid_input_area"> <label for="openid_identifier" class="block">Enter your OpenID:</label> - <input id="openid_identifier" name="openid_identifier" type="text" value="<TMPL_VAR OPENID_URL>"/> + <input id="openid_identifier" name="openid_identifier" type="text" value="<TMPL_VAR ESCAPE=HTML OPENID_URL>"/> <input id="openid_submit" type="submit" value="Login"/> </div> <TMPL_IF OPENID_ERROR> |