Anonymous avatar Anonymous committed aaba4d2

Added missing HTML encoding for page titles (security fix!)

Comments (0)

Files changed (3)

app/main/index/search.lua

 local search_for = param.get("search_for", atom.string) or "global"
 local search_string = param.get("search", atom.string)
 
-slot.put_into("title", _("Search results for: '#{search}'", { search  = search_string }))
+slot.put_into("title", encode.html(_("Search results for: '#{search}'", { search  = search_string })))
 
 
 if search_for == "global" or search_for == "member" then

app/main/member/history.lua

 local member = Member:by_id(param.get_id())
 
-slot.put_into("title", _("Member name history for '#{name}'", { name = member.name }))
+slot.put_into("title", encode.html(_("Member name history for '#{name}'", { name = member.name })))
 
 slot.select("actions", function()
   ui.link{

config/default.lua

 config.app_name = "LiquidFeedback"
-config.app_version = "beta13"
+config.app_version = "beta14"
 
 config.app_title = config.app_name .. " (" .. request.get_config_name() .. " environment)"
 
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.