1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/changeset/4d0bfc13fd58/ changeset: 4d0bfc13fd58 user: dannon date: 2012-11-05 21:21:05 summary: Security: Prevent potential reflected XSS via MessageException (possible in the case of invalid/malicious id lookups, for instance). Cleanup imports. affected #: 1 file diff -r 873dba0459da52335fab1dab38de88a92d44a264 -r 4d0bfc13fd582083eb2caec31029a3b4664da4ce lib/galaxy/web/framework/__init__.py --- a/lib/galaxy/web/framework/__init__.py +++ b/lib/galaxy/web/framework/__init__.py @@ -4,19 +4,19 @@ import pkg_resources -import os, sys, time, socket, random, string +import os, time, socket, random, string import inspect from Cookie import CookieError pkg_resources.require( "Cheetah" ) from Cheetah.Template import Template import base -import pickle from functools import wraps from galaxy import util from galaxy.exceptions import MessageException from galaxy.util.json import to_json_string, from_json_string from galaxy.util.backports.importlib import import_module +from galaxy.util.sanitize_html import sanitize_html pkg_resources.require( "simplejson" ) import simplejson @@ -240,11 +240,11 @@ output_encoding = 'utf-8' ) def handle_controller_exception( self, e, trans, **kwargs ): + if isinstance( e, MessageException ): + #In the case of a controller exception, sanitize to make sure unsafe html input isn't reflected back to the user + return trans.show_message( sanitize_html(e.err_msg), e.type ) - if isinstance( e, MessageException ): - return trans.show_message( e.err_msg, e.type ) def make_body_iterable( self, trans, body ): - if isinstance( body, FormBuilder ): body = trans.show_form( body ) return base.WebApplication.make_body_iterable( self, trans, body ) Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.