To participate you must create an account on apostrophenow.org. If you have already done so, click Login.
Changeset 4542
- Timestamp:
- 02/03/12 16:01:34 (4 months ago)
- Author:
- tboutell
- Message:
-
Fixed #1220 XSS vulnerability in blog filters
- Files:
-
Legend:
- Unmodified
- Added
- Removed
-
|
r4511
|
r4542
|
|
| 622 | 622 | // This ought to call a_button but I'm wrestling with the incompatibility of inline |
| 623 | 623 | // content and a_button's CSS. Notice that it's playing out rather well in the blog engine. -Tom |
| | 624 | // |
| | 625 | // Always entity-encode the label. Without this the blog filters are an XSS vulnerability |
| 624 | 626 | |
| 625 | 627 | function a_remove_filter_button($label, $url, $parameter) |
| … |
… |
|
| 636 | 638 | } |
| 637 | 639 | $url = aUrl::addParams($url, $remove); |
| 638 | | return link_to($label.'<span class="icon"></span>', url_for($url), array('class' => 'a-remove-filter-button', 'title' => 'Remove Filter: ' . $label)); |
| | 640 | return link_to(aHtml::entities($label).'<span class="icon"></span>', url_for($url), array('class' => 'a-remove-filter-button', 'title' => 'Remove Filter: ' . $label)); |
| 639 | 641 | } |
| 640 | 642 | |
Download in other formats:
