flash_error.tpl:

- html-escape flash_info() / flash_error() messages to fix XSS if the
  message contains user-supplied input
  (thanks to Filippo Cavallarin for the report)

Note: This will cause ugly output for some german error messages which
contain ü etc., and the warning message in backup.php (with some
HTML tags included) will also look totally ugly.
Nevertheless, that's still better than XSS attacks ;-)


git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1331 a1433add-5e2c-0410-b055-b7f2511e0802
pull/2/head
Christian Boltz 13 years ago
parent 19b9535e43
commit e3b242e4d8

@ -5,14 +5,14 @@
{if isset($smarty.session.flash.info)}
<ul class="flash-info">
{foreach from=$smarty.session.flash.info item=msg}
<li>{$msg}</li>
<li>{$msg|escape:html}</li>
{/foreach}
</ul>
{/if}
{if isset($smarty.session.flash.error)}
<ul class="flash-error">
{foreach from=$smarty.session.flash.error item=msg}
<li>{$msg}</li>
<li>{$msg|escape:html}</li>
{/foreach}
</ul>
{/if}

Loading…
Cancel
Save