Fix issue #515 ("XSS bug in diff view (CVE-2012-4533)").

* lib/viewvc.py (DiffSource._get_row): Pass the "extra" line information through the formatter code so that, at a minimum, it's HTML-escaped. Patch by: Nicolás Alvarez <nicolas.alvarez{__AT__}gmail.com> git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@2792 8cb11bc2-c004-0410-86c3-e597b4017df7
2012-10-24 13:26:36 +00:00 · 2012-10-24 13:26:36 +00:00 · de517ae29c
parent 4a98f512f7
commit de517ae29c
1 changed files with 1 additions and 1 deletions
--- a/lib/viewvc.py
+++ b/lib/viewvc.py
@ -3165,7 +3165,7 @@ class DiffSource:
      return _item(type='header',
                   line_info_left=match.group(1),
                   line_info_right=match.group(2),
-                   line_info_extra=match.group(3))
+                   line_info_extra=self._format_text(match.group(3)))
    
    if line[0] == '\\':
      # \ No newline at end of file