flash_error.tpl:

- html-escape flash_info() / flash_error() messages to fix XSS if the message contains user-supplied input (thanks to Filippo Cavallarin for the report) Note: This will cause ugly output for some german error messages which contain ü etc., and the warning message in backup.php (with some HTML tags included) will also look totally ugly. Nevertheless, that's still better than XSS attacks ;-) git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1331 a1433add-5e2c-0410-b055-b7f2511e0802
13 years ago · e3b242e4d8
parent 19b9535e43
commit e3b242e4d8
1 changed files with 2 additions and 2 deletions
--- a/templates/flash_error.tpl
+++ b/templates/flash_error.tpl
@ -5,14 +5,14 @@
 			{if isset($smarty.session.flash.info)}
 				<ul class="flash-info">
 					{foreach from=$smarty.session.flash.info item=msg}
-						<li>{$msg}</li>
+						<li>{$msg|escape:html}</li>
 					{/foreach}
 				</ul>
 			{/if}
 			{if isset($smarty.session.flash.error)}
 				<ul class="flash-error">
 					{foreach from=$smarty.session.flash.error item=msg}
-						<li>{$msg}</li>
+						<li>{$msg|escape:html}</li>
 					{/foreach}
 				</ul>
 			{/if}