Fix issue #515 ("XSS bug in diff view (CVE-2012-4533)").
* lib/viewvc.py (DiffSource._get_row): Pass the "extra" line information through the formatter code so that, at a minimum, it's HTML-escaped. Patch by: Nicolás Alvarez <nicolas.alvarez{__AT__}gmail.com> git-svn-id: http://viewvc.tigris.org/svn/viewvc/trunk@2792 8cb11bc2-c004-0410-86c3-e597b4017df7trunk
parent
4a98f512f7
commit
de517ae29c
|
@ -3165,7 +3165,7 @@ class DiffSource:
|
|||
return _item(type='header',
|
||||
line_info_left=match.group(1),
|
||||
line_info_right=match.group(2),
|
||||
line_info_extra=match.group(3))
|
||||
line_info_extra=self._format_text(match.group(3)))
|
||||
|
||||
if line[0] == '\\':
|
||||
# \ No newline at end of file
|
||||
|
|
Loading…
Reference in New Issue