Commits

Daniel Blankenberg committed 87ce7c4

HTML escape values that could be set by the user in templates/webapps/community/repository_review/edit_review.mako.

Comments (0)

Files changed (1)

templates/webapps/community/repository_review/edit_review.mako

 %endif
 
 <div class="toolForm">
-    <div class="toolFormTitle">My review of repository '${repository.name}'</div>
+    <div class="toolFormTitle">My review of repository '${repository.name | h}'</div>
     <div class="toolFormBody">
         <form name="edit_review" action="${h.url_for( controller='repository_review', action='edit_review', id=trans.security.encode_id( review.id ) )}" method="post" >
             <div class="form-row">
             </div>
             <div class="form-row">
                 <label>Repository owner:</label>
-                ${repository.user.username}
+                ${repository.user.username | h}
                 <div style="clear: both"></div>
             </div>
             <div class="form-row">
                 <label>Repository synopsis:</label>
-                ${repository.description}
+                ${repository.description | h}
                 <div style="clear: both"></div>
             </div>
             <div class="form-row">
                             review_button_name = '%s%sreview_button' % ( component_name, STRSEP )
                         %>
                         <tr>
-                            <td bgcolor="#D8D8D8"><b>${component.name}</b></td>
-                            <td bgcolor="#D8D8D8">${component.description}</td>
+                            <td bgcolor="#D8D8D8"><b>${component.name | h}</b></td>
+                            <td bgcolor="#D8D8D8">${component.description | h}</td>
                         </tr>
                         <tr>
                             <td colspan="2">
                                         <td>
                                             <label>Comments:</label>
                                             %if component_review:
-                                                <pre><textarea name="${comment_name}" rows="3" cols="80">${comment}</textarea></pre>
+                                                <pre><textarea name="${comment_name}" rows="3" cols="80">${comment | h}</textarea></pre>
                                             %else:
                                                 <textarea name="${comment_name}" rows="3" cols="80"></textarea>
                                             %endif