1 new changeset in galaxy-central: http://bitbucket.org/galaxy/galaxy-central/changeset/100347b4e473/ changeset: r5595:100347b4e473 user: kanwei date: 2011-05-25 11:31:26 summary: Fix a few XSS issues in workflow/history affected #: 3 files (70 bytes) --- a/lib/galaxy/web/controllers/history.py Tue May 24 05:33:07 2011 -0400 +++ b/lib/galaxy/web/controllers/history.py Wed May 25 11:31:26 2011 +0200 @@ -462,7 +462,7 @@ else: assert history.user == trans.user # Rename - history.name = new_name + history.name = sanitize_html( new_name ) trans.sa_session.add( history ) trans.sa_session.flush() return history.name @@ -1129,7 +1129,7 @@ change_msg = change_msg + "<p>History: "+cur_names[i]+" is already named: "+name[i]+"</p>" elif name[i] not in [None,'',' ']: name[i] = escape(name[i]) - histories[i].name = name[i] + histories[i].name = sanitize_html( name[i] ) trans.sa_session.add( histories[i] ) trans.sa_session.flush() change_msg = change_msg + "<p>History: "+cur_names[i]+" renamed to: "+name[i]+"</p>" --- a/lib/galaxy/web/controllers/workflow.py Tue May 24 05:33:07 2011 -0400 +++ b/lib/galaxy/web/controllers/workflow.py Wed May 25 11:31:26 2011 +0200 @@ -364,7 +364,7 @@ # Update workflow attributes if new values submitted. if 'name' in kwargs: # Rename workflow. - stored.name = kwargs[ 'name' ] + stored.name = sanitize_html( kwargs['name'] ) if 'annotation' in kwargs: # Set workflow annotation; sanitize annotation before adding it. annotation = sanitize_html( kwargs[ 'annotation' ], 'utf-8', 'text/html' ) @@ -380,7 +380,7 @@ def rename( self, trans, id, new_name=None, **kwargs ): stored = self.get_stored_workflow( trans, id ) if new_name is not None: - stored.name = new_name + stored.name = sanitize_html( new_name ) trans.sa_session.flush() # For current workflows grid: trans.set_message ( "Workflow renamed to '%s'." % new_name ) --- a/templates/workflow/list.mako Tue May 24 05:33:07 2011 -0400 +++ b/templates/workflow/list.mako Wed May 25 11:31:26 2011 +0200 @@ -56,7 +56,7 @@ <tr><td><div class="menubutton" style="float: left;" id="wf-${i}-popup"> - ${h.to_unicode( workflow.name )} + ${h.to_unicode( workflow.name ) | h} </div></td><td>${len(workflow.latest_workflow.steps)}</td> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.