3 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/2d51d40f07ca/ Changeset: 2d51d40f07ca Branch: stable User: dannon Date: 2014-12-09 19:46:03+00:00 Summary: Force sanitization of form.title and form.name. Header needs more digging; we actually use html content in the field. Affected #: 1 file diff -r fdc7863699d233e2b44d6d42f47dfaaa97e0d80e -r 2d51d40f07ca0d3ca266a33bf39190dfe8b9a6be templates/form.mako --- a/templates/form.mako +++ b/templates/form.mako @@ -22,7 +22,7 @@ </%def> -<%def name="title()">${form.title}</%def> +<%def name="title()">${form.title | h}</%def><%def name="javascripts()"> ${parent.javascripts()} @@ -53,7 +53,7 @@ %endif <div class="form" style="margin: 1em"> - <div class="form-title">${util.unicodify( form.title )}</div> + <div class="form-title">${util.unicodify( form.title ) | h}</div><div class="form-body"><% has_file_input = False @@ -62,7 +62,7 @@ has_file_input = True break %> - <form name="${form.name}" action="${form.action}" method="post" + <form name="${form.name | h}" action="${form.action}" method="post" %if has_file_input: enctype="multipart/form-data" %endif https://bitbucket.org/galaxy/galaxy-central/commits/7adac1842adf/ Changeset: 7adac1842adf Branch: stable User: dannon Date: 2014-12-09 20:44:08+00:00 Summary: Additionally sanitize form input fields (label, name, etc.) Affected #: 1 file diff -r 2d51d40f07ca0d3ca266a33bf39190dfe8b9a6be -r 7adac1842adf8db15183baff73e971aeab3537a9 templates/form.mako --- a/templates/form.mako +++ b/templates/form.mako @@ -53,7 +53,7 @@ %endif <div class="form" style="margin: 1em"> - <div class="form-title">${util.unicodify( form.title ) | h}</div> + <div class="form-title">${util.unicodify( form.title ) | h }</div><div class="form-body"><% has_file_input = False @@ -62,7 +62,7 @@ has_file_input = True break %> - <form name="${form.name | h}" action="${form.action}" method="post" + <form name="${form.name | h }" action="${form.action}" method="post" %if has_file_input: enctype="multipart/form-data" %endif @@ -76,28 +76,28 @@ <div class="${cls}"> %if input.use_label: <label> - ${_(input.label)}: + ${_(input.label) | h }: </label> %endif <div class="form-row-input"> %if input.type == 'textarea': - <textarea name="${input.name}">${input.value}</textarea> + <textarea name="${input.name | h }">${input.value | h }</textarea> %elif input.type == 'select': - <select name="${input.name}"> + <select name="${input.name | h}"> %for (name, value) in input.options: - <option value="${value}">${name}</option> + <option value="${value | h }">${name | h }</option> %endfor </select> %else: - <input type="${input.type}" name="${input.name}" value="${input.value}"> + <input type="${input.type}" name="${input.name | h }" value="${input.value | h }"> %endif </div> %if input.error: - <div class="form-row-error-message">${input.error}</div> + <div class="form-row-error-message">${input.error | h }</div> %endif %if input.help: <div class="toolParamHelp" style="clear: both;"> - ${input.help} + ${input.help | h} </div> %endif <div style="clear: both"></div> https://bitbucket.org/galaxy/galaxy-central/commits/212e1d5e9be5/ Changeset: 212e1d5e9be5 Branch: stable User: jmchilton Date: 2014-12-10 17:20:55+00:00 Summary: Merged in dannon/galaxy-central/stable (pull request #602) [STABLE] Force sanitization of form.title and form.name. Header needs more digging; we actually use html content in the field. Affected #: 1 file diff -r 2db0fb9594d6c315e4e0a4be70f64373cfc708f6 -r 212e1d5e9be5a9a1e12c834bd545de504753c9fe templates/form.mako --- a/templates/form.mako +++ b/templates/form.mako @@ -22,7 +22,7 @@ </%def> -<%def name="title()">${form.title}</%def> +<%def name="title()">${form.title | h}</%def><%def name="javascripts()"> ${parent.javascripts()} @@ -53,7 +53,7 @@ %endif <div class="form" style="margin: 1em"> - <div class="form-title">${util.unicodify( form.title )}</div> + <div class="form-title">${util.unicodify( form.title ) | h }</div><div class="form-body"><% has_file_input = False @@ -62,7 +62,7 @@ has_file_input = True break %> - <form name="${form.name}" action="${form.action}" method="post" + <form name="${form.name | h }" action="${form.action}" method="post" %if has_file_input: enctype="multipart/form-data" %endif @@ -76,28 +76,28 @@ <div class="${cls}"> %if input.use_label: <label> - ${_(input.label)}: + ${_(input.label) | h }: </label> %endif <div class="form-row-input"> %if input.type == 'textarea': - <textarea name="${input.name}">${input.value}</textarea> + <textarea name="${input.name | h }">${input.value | h }</textarea> %elif input.type == 'select': - <select name="${input.name}"> + <select name="${input.name | h}"> %for (name, value) in input.options: - <option value="${value}">${name}</option> + <option value="${value | h }">${name | h }</option> %endfor </select> %else: - <input type="${input.type}" name="${input.name}" value="${input.value}"> + <input type="${input.type}" name="${input.name | h }" value="${input.value | h }"> %endif </div> %if input.error: - <div class="form-row-error-message">${input.error}</div> + <div class="form-row-error-message">${input.error | h }</div> %endif %if input.help: <div class="toolParamHelp" style="clear: both;"> - ${input.help} + ${input.help | h} </div> %endif <div style="clear: both"></div> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.