summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGabriel Pérez-Cerezo <gabriel@gpcf.eu>2018-07-06 23:21:49 +0200
committerGabriel Pérez-Cerezo <gabriel@gpcf.eu>2018-07-06 23:21:49 +0200
commit95679599de538a4833dd873f0630e5819b60db10 (patch)
tree3375de183cba882702a47ddf0f207589858ffec8
parent5fe8f5636768201db4703124aefd1378871c8429 (diff)
downloadhemiptera-95679599de538a4833dd873f0630e5819b60db10.zip
hemiptera-95679599de538a4833dd873f0630e5819b60db10.tar.gz
hemiptera-95679599de538a4833dd873f0630e5819b60db10.tar.bz2
prevent html injection
-rw-r--r--templates/bug.html8
-rw-r--r--templates/buglist.html6
2 files changed, 7 insertions, 7 deletions
diff --git a/templates/bug.html b/templates/bug.html
index 7f58780..fc891fa 100644
--- a/templates/bug.html
+++ b/templates/bug.html
@@ -11,17 +11,17 @@
<h1><a href="/"> Hemiptera Bugtracker at {{DOMAIN}}</a></h1>
<h2><a href="/{{prname}}" >{{prname}}</a></h2>
<h3 class="subject" >
- {{ replies[0]["Subject"] }}
+ {{ replies[0]["Subject"]|e }}
</h3>
Send replies to <a href="mailto:{{ bug.id }}@{{ DOMAIN }}" >{{ bug.id }}@{{ DOMAIN }}</a>
</header>
{% for i in replies %}
<div class="container">
<div class="date {% if i["From"] == replies[0]["From"] %}op{% endif %}{% if i["From"] in devs %}dev{% endif %}">
- <img class="avatar" src="{{ i["Avatar"] }}" alt="avatar" /> From: {% if i["From"] == replies[0]["From"] %} OP {% elif i["From"] in devs %} Developer {% else %} Someone else {% endif %}<br> {{ i["Date"] }}
+ <img class="avatar" src="{{ i["Avatar"] }}" alt="avatar" /> From: {% if i["From"] == replies[0]["From"] %} OP {% elif i["From"] in devs %} Developer {% else %} Someone else {% endif %}<br> {{ i["Date"] |e}}
</div>
<div class="reply">
-<p>{{ i.get_body("plain").get_content().replace("\n", "</p><p>") }}</p>
+<p>{{ i.get_body("plain").get_content()|e|replace("\n", "</p><p>") }}</p>
</div>
</div>
{% endfor %}
@@ -30,7 +30,7 @@
<div class="status-header date">
<img class="avatar" src="/static/excl.png" alt="avatar" />
<b>Status Update</b> <br>
- {{ bug.closeddate }}
+ {{ bug.closeddate|e}}
</div>
<div class="status-message reply">
<i>This bug was closed.</i>
diff --git a/templates/buglist.html b/templates/buglist.html
index 3e69108..142dc69 100644
--- a/templates/buglist.html
+++ b/templates/buglist.html
@@ -29,12 +29,12 @@
<td>
{{ i.id }}
<td>
- <a href="/{{ prname }}/{{ i.id }}.html"> {{ i.subject }}</a>
+ <a href="/{{ prname }}/{{ i.id }}.html"> {{ i.subject|e }}</a>
<td>
{{ i.replies }}
- <td title="{{ i.created }}">
+ <td title="{{ i.created|e }}">
{{ i.nicecreated }}
- <td title="{{ i.last_reply }}">
+ <td title="{{ i.last_reply|e }}">
{{ i.nicereply }}
<td>
{% if i.closed %}