diff options
| author | Matthew Somerville <matthew-github@dracos.co.uk> | 2016-07-06 12:16:33 +0100 |
|---|---|---|
| committer | Matthew Somerville <matthew-github@dracos.co.uk> | 2016-07-06 16:29:06 +0100 |
| commit | 709193b9ccb60d70f9b646a9c498abde125f828f (patch) | |
| tree | 51d9cc73eb4b4c3fd42596acc25a03fc5ff80965 | |
| parent | 0858b04fccef1beb3c798bfa734a23621b02e083 (diff) | |
Fix two XSS vulnerabilities.
The title in the OpenGraph header was not being properly escaped, and
the hide pins/all pins links were using single quotes which were able
to be broken out of.
Also remove the single quotes around rss_feed_uri, though this is not
a vulnerability as its contents were sanitised (postcode or co-ords).
| -rw-r--r-- | templates/web/base/alert/_list.html | 2 | ||||
| -rwxr-xr-x | templates/web/base/around/display_location.html | 8 | ||||
| -rw-r--r-- | templates/web/base/header_opengraph.html | 2 |
3 files changed, 6 insertions, 6 deletions
diff --git a/templates/web/base/alert/_list.html b/templates/web/base/alert/_list.html index 65bba2fed..f94ce84f8 100644 --- a/templates/web/base/alert/_list.html +++ b/templates/web/base/alert/_list.html @@ -20,7 +20,7 @@ <p id="rss_local"> <input type="radio" name="feed" id="[% rss_feed_id %]" value="[% rss_feed_id %]"[% IF rss_feed_id == selected_feed || selected_feed == '' %] checked[% END %]> <label class="inline" for="[% rss_feed_id %]">[% tprintf( loc('Problems within %.1fkm of this location'), population_radius ) %]</label> - <a href='[% rss_feed_uri %]'><img src='/i/feed.png' width='16' height='16' title='[% loc('RSS feed of nearby problems') %]' alt='[% loc('RSS feed') %]' border='0'></a> + <a href="[% rss_feed_uri %]"><img src='/i/feed.png' width='16' height='16' title='[% loc('RSS feed of nearby problems') %]' alt='[% loc('RSS feed') %]' border='0'></a> <br /> [% loc('(a default distance which covers roughly 200,000 people)') %] </p> diff --git a/templates/web/base/around/display_location.html b/templates/web/base/around/display_location.html index 0ae1aadf5..737a44c34 100755 --- a/templates/web/base/around/display_location.html +++ b/templates/web/base/around/display_location.html @@ -56,16 +56,16 @@ <p id='sub_map_links'> [% map_sub_links %] [% IF c.req.params.no_pins %] - <a id='hide_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => 0 } ) %]'>[% loc('Show pins') %]</a> + <a id='hide_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => 0 } ) %]">[% loc('Show pins') %]</a> [% ELSE %] - <a id='hide_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => 1 } ) %]'>[% loc('Hide pins') %]</a> + <a id='hide_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => 1 } ) %]">[% loc('Hide pins') %]</a> [% END %] [% IF c.cobrand.country == 'GB' || c.cobrand.country == 'NO' %] <span class="hidden">|</span> [% IF c.req.params.all_pins %] - <a id='all_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => undef, all_pins => undef } ) %]'>[% loc('Hide old') %]</a> + <a id='all_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => undef, all_pins => undef } ) %]">[% loc('Hide old') %]</a> [% ELSE %] - <a id='all_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => undef, all_pins => 1 } ) %]'>[% loc('Show old') %]</a> + <a id='all_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => undef, all_pins => 1 } ) %]">[% loc('Show old') %]</a> [% END %] [% END %] </p> diff --git a/templates/web/base/header_opengraph.html b/templates/web/base/header_opengraph.html index f728d083f..6b2c8ff46 100644 --- a/templates/web/base/header_opengraph.html +++ b/templates/web/base/header_opengraph.html @@ -1,5 +1,5 @@ <meta property="og:url" content="[% c.cobrand.base_url %][% c.req.uri.path %]"> - <meta property="og:title" content="[% title || site_name %]"> + <meta property="og:title" content="[% title || site_name | html %]"> <meta property="og:site_name" content="[% site_name %]"> [% IF c.req.uri.path == '/' %]<meta property="og:description" content="Report, view, and discuss local street-related problems.">[% END %] <meta property="og:type" content="website"> |