Commit 13f04563 by Tomas Hlavacek

Fix XSS discovered by prauscher@ohai.su in the Whois code.

The whois code allowed to pass HTML from whois output to the resulting webpage
which would allow XSS on the page.

Remove Markup() call from the whois result display routine in order to allow
genshi to escape the whois output.
parent f54e1227
......@@ -724,7 +724,7 @@ class ULGCgi:
template = self.loader.load(defaults.whois_template_file)
res = whois.lookup(key)
return template.generate(result=Markup(res),
return template.generate(result=res,
url=url,
url_caption=urlc,
).render('html', doctype='html', encoding='utf-8')
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment