Fixes OSQA 446 "Security - Multiple cross site scripting (XSS) vulnerabilities".

git-svn-id: http://svn.osqa.net/svnroot/osqa/trunk@594 0cfe37f9-358a-4d5e-be75-b63607b5c754

diff --git a/forum/feed.py b/forum/feed.py
index d91fc22c4e1b7b0d251cf2e3105d71c416650af3..f40400979dace9481abfa42749aeb2fa77ec5c00 100644 (file)
--- a/forum/feed.py
+++ b/forum/feed.py
@@ -11,6 +11,7 @@ from django.utils.safestring import mark_safe
 from models import Question
 from forum import settings
 from forum.modules import decorate
 from models import Question
 from forum import settings
 from forum.modules import decorate

+from forum.utils.pagination import generate_uri

 
 @decorate(add_domain, needs_origin=False)
 def add_domain(domain, url):
 
 @decorate(add_domain, needs_origin=False)
 def add_domain(domain, url):


@@ -66,7 +67,7 @@ class BaseNodeFeed(Feed):
 
 class RssQuestionFeed(BaseNodeFeed):
     def __init__(self, request, question_list, title, description):
 
 class RssQuestionFeed(BaseNodeFeed):
     def __init__(self, request, question_list, title, description):

-        url = request.path + "&" + "&".join(["%s=%s" % (k, v) for k, v in request.GET.items() if not k in (_('page'), _('pagesize'), _('sort'))])
+        url = request.path + "&" + generate_uri(request.GET, (_('page'), _('pagesize'), _('sort')))

         super(RssQuestionFeed, self).__init__(request, title, description, url)
 
         self._question_list = question_list
         super(RssQuestionFeed, self).__init__(request, title, description, url)
 
         self._question_list = question_list

diff --git a/forum/utils/pagination.py b/forum/utils/pagination.py
index c36ad2fb35cacc104597306d8ed4d20c2c52d50d..4a3ebd6682ecd6cc49cb0c79ee2036fb84521777 100644 (file)
--- a/forum/utils/pagination.py
+++ b/forum/utils/pagination.py
@@ -7,7 +7,7 @@ from django.http import Http404
 from django.utils.http import urlquote
 from django.utils.safestring import mark_safe
 from django.utils.html import strip_tags
 from django.utils.http import urlquote
 from django.utils.safestring import mark_safe
 from django.utils.html import strip_tags

-
+from forum.utils.html import sanitize_html

 import logging
 
 def generate_uri(querydict, exclude=None):
 import logging
 
 def generate_uri(querydict, exclude=None):


@@ -15,7 +15,7 @@ def generate_uri(querydict, exclude=None):
 
     for k, l in querydict.iterlists():
         if (not exclude) or (not k in exclude):
 
     for k, l in querydict.iterlists():
         if (not exclude) or (not k in exclude):

-            all += ["%s=%s" % (k, urlquote(v)) for v in l]
+            all += ["%s=%s" % (k, urlquote(strip_tags(v))) for v in l]

         
     return "&".join(all)
 
         
     return "&".join(all)
 

diff --git a/forum/views/readers.py b/forum/views/readers.py
index 1c4dfcc2bcf48cfcc2319d5519778bac22f7dc22..e43567d507c3e461ed0a826593f7d36ad6e652b1 100644 (file)
--- a/forum/views/readers.py
+++ b/forum/views/readers.py
@@ -29,6 +29,7 @@ from forum.forms import get_next_url
 from forum.actions import QuestionViewAction
 from forum.http_responses import HttpResponseUnauthorized
 from forum.feed import RssQuestionFeed, RssAnswerFeed
 from forum.actions import QuestionViewAction
 from forum.http_responses import HttpResponseUnauthorized
 from forum.feed import RssQuestionFeed, RssAnswerFeed

+from forum.utils.pagination import generate_uri

 import decorators
 
 class HottestQuestionsSort(pagination.SortBase):
 import decorators
 
 class HottestQuestionsSort(pagination.SortBase):


@@ -163,7 +164,7 @@ def question_list(request, initial,
     #answer_description = _("answers")
 
     if not feed_url:
     #answer_description = _("answers")
 
     if not feed_url:

-        req_params = "&".join(["%s=%s" % (k, v) for k, v in request.GET.items() if not k in (_('page'), _('pagesize'), _('sort'))])
+        req_params = "&".join(generate_uri(request.GET, (_('page'), _('pagesize'), _('sort'))))

         if req_params:
             req_params = '&' + req_params
 
         if req_params:
             req_params = '&' + req_params