Commits

Thomas Waldmann committed 41e2918

escape metadata to avoid XSS / html / js injection via item_name, comment or other user-settable metadata (should fix #3 )

Comments (0)

Files changed (1)

MoinMoin/items/__init__.py

     data = property(fget=get_data)
 
     def _render_meta(self):
-        return "<pre>%s</pre>" % self.meta_dict_to_text(self.meta, use_filter=False)
+        return "<pre>%s</pre>" % escape(self.meta_dict_to_text(self.meta, use_filter=False))
 
     def get_templates(self, mimetype=None):
         """ create a list of templates (for some specific mimetype) """