diff options
| author | Matthew Somerville <matthew@mysociety.org> | 2019-11-21 21:21:46 +0000 |
|---|---|---|
| committer | Matthew Somerville <matthew@mysociety.org> | 2019-11-22 13:11:51 +0000 |
| commit | 199f90a375124b684f9d3e64299dbf3967fb1640 (patch) | |
| tree | d15e66b36bf5d956d77aea2b2b43944989a48fde | |
| parent | 9f855f70a644c79182128b7c5384a460e5c2450d (diff) | |
Escape pager.current_page.
| -rw-r--r-- | CHANGELOG.md | 2 | ||||
| -rw-r--r-- | templates/web/base/pagination.html | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index f85991373..95514c3b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,8 @@ ## Releases * Unreleased + - Security: + - Fix XSS vulnerability in pagination page number. - Front end improvements: - Improved 403 message, especially for private reports. #2511 - Mobile users can now filter the pins on the `/around` map view. #2366 diff --git a/templates/web/base/pagination.html b/templates/web/base/pagination.html index 3b7bdc0b2..9efdc3d78 100644 --- a/templates/web/base/pagination.html +++ b/templates/web/base/pagination.html @@ -1,5 +1,5 @@ [% IF pager.total_entries > 1 %] - <p class="pagination" data-page="[% pager.current_page %]"> + <p class="pagination" data-page="[% pager.current_page | html %]"> [% IF pager.previous_page %] <a class="prev" href="[% c.uri_with({ $param => pager.previous_page, ajax => undefined }) %][% '#' _ hash IF hash %]">[% loc('Previous') %]</a> [% END %] |