diff options
| author | Matthew Somerville <matthew-github@dracos.co.uk> | 2016-07-06 12:16:33 +0100 |
|---|---|---|
| committer | Matthew Somerville <matthew-github@dracos.co.uk> | 2016-07-06 16:24:18 +0100 |
| commit | e57204c2676664a2d6551a7f2c859d722646b28c (patch) | |
| tree | 4807bb18ff1fdf924e7e8f3d0240e05a701fec50 | |
| parent | 738b56a6b7d0a8ca93f78406054a7c9edae85fc3 (diff) | |
Fix two XSS vulnerabilities.
The title in the OpenGraph header was not being properly escaped, and
the hide pins/all pins links were using single quotes which were able
to be broken out of.
Also remove the single quotes around rss_feed_uri, though this is not
a vulnerability as its contents were sanitised (postcode or co-ords).
| -rw-r--r-- | templates/web/base/alert/_list.html | 2 | ||||
| -rwxr-xr-x | templates/web/base/around/display_location.html | 8 | ||||
| -rw-r--r-- | templates/web/base/header_opengraph.html | 2 |
3 files changed, 6 insertions, 6 deletions
diff --git a/templates/web/base/alert/_list.html b/templates/web/base/alert/_list.html index 395948248..88aa0342b 100644 --- a/templates/web/base/alert/_list.html +++ b/templates/web/base/alert/_list.html @@ -19,7 +19,7 @@ <p id="rss_local"> <input type="radio" name="feed" id="[% rss_feed_id %]" value="[% rss_feed_id %]"[% IF rss_feed_id == selected_feed || selected_feed == '' %] checked[% END %]> <label class="inline" for="[% rss_feed_id %]">[% tprintf( loc('Problems within %.1fkm of this location'), population_radius ) %]</label> - <a href='[% rss_feed_uri %]'><img src='/i/feed.png' width='16' height='16' title='[% loc('RSS feed of nearby problems') %]' alt='[% loc('RSS feed') %]' border='0'></a> + <a href="[% rss_feed_uri %]"><img src='/i/feed.png' width='16' height='16' title='[% loc('RSS feed of nearby problems') %]' alt='[% loc('RSS feed') %]' border='0'></a> <br /> [% loc('(a default distance which covers roughly 200,000 people)') %] </p> diff --git a/templates/web/base/around/display_location.html b/templates/web/base/around/display_location.html index d38ae6754..a41c67453 100755 --- a/templates/web/base/around/display_location.html +++ b/templates/web/base/around/display_location.html @@ -55,16 +55,16 @@ <p id='sub_map_links'> [% map_sub_links %] [% IF c.req.params.no_pins %] - <a id='hide_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => 0 } ) %]'>[% loc('Show pins') %]</a> + <a id='hide_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => 0 } ) %]">[% loc('Show pins') %]</a> [% ELSE %] - <a id='hide_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => 1 } ) %]'>[% loc('Hide pins') %]</a> + <a id='hide_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => 1 } ) %]">[% loc('Hide pins') %]</a> [% END %] [% IF c.cobrand.country == 'GB' || c.cobrand.country == 'NO' %] <span class="hidden">|</span> [% IF c.req.params.all_pins %] - <a id='all_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => undef, all_pins => undef } ) %]'>[% loc('Hide old') %]</a> + <a id='all_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => undef, all_pins => undef } ) %]">[% loc('Hide old') %]</a> [% ELSE %] - <a id='all_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => undef, all_pins => 1 } ) %]'>[% loc('Show old') %]</a> + <a id='all_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => undef, all_pins => 1 } ) %]">[% loc('Show old') %]</a> [% END %] [% END %] </p> diff --git a/templates/web/base/header_opengraph.html b/templates/web/base/header_opengraph.html index f728d083f..6b2c8ff46 100644 --- a/templates/web/base/header_opengraph.html +++ b/templates/web/base/header_opengraph.html @@ -1,5 +1,5 @@ <meta property="og:url" content="[% c.cobrand.base_url %][% c.req.uri.path %]"> - <meta property="og:title" content="[% title || site_name %]"> + <meta property="og:title" content="[% title || site_name | html %]"> <meta property="og:site_name" content="[% site_name %]"> [% IF c.req.uri.path == '/' %]<meta property="og:description" content="Report, view, and discuss local street-related problems.">[% END %] <meta property="og:type" content="website"> |