diff options
| author | Matthew Somerville <matthew-github@dracos.co.uk> | 2016-07-06 12:16:33 +0100 |
|---|---|---|
| committer | Matthew Somerville <matthew-github@dracos.co.uk> | 2016-07-06 16:22:40 +0100 |
| commit | b1628916495b945164729ad95c9e9f57b060c62e (patch) | |
| tree | 0e841971ab5f5ca4c3548ec5806d5f2a1a3ee736 | |
| parent | a53543e81a52982fadcc97183eded29e11ec1ac5 (diff) | |
Fix two XSS vulnerabilities.
The title in the OpenGraph header was not being properly escaped, and
the hide pins/all pins links were using single quotes which were able
to be broken out of.
Also remove the single quotes around rss_feed_uri, though this is not
a vulnerability as its contents were sanitised (postcode or co-ords).
| -rw-r--r-- | templates/web/base/alert/_list.html | 2 | ||||
| -rwxr-xr-x | templates/web/base/around/display_location.html | 8 | ||||
| -rw-r--r-- | templates/web/fixmystreet/alert/_list.html | 2 | ||||
| -rw-r--r-- | templates/web/fixmystreet/header_opengraph.html | 2 |
4 files changed, 7 insertions, 7 deletions
diff --git a/templates/web/base/alert/_list.html b/templates/web/base/alert/_list.html index 2ffcfae39..d3180dbbc 100644 --- a/templates/web/base/alert/_list.html +++ b/templates/web/base/alert/_list.html @@ -17,7 +17,7 @@ <p id="rss_local"> <input type="radio" name="feed" id="[% rss_feed_id %]" value="[% rss_feed_id %]"[% IF rss_feed_id == selected_feed || selected_feed == '' %] checked[% END %]> <label for="[% rss_feed_id %]">[% tprintf( loc('Problems within %.1fkm of this location'), population_radius ) %]</label> - [% loc('(a default distance which covers roughly 200,000 people)') %] <a href='[% rss_feed_uri %]'> + [% loc('(a default distance which covers roughly 200,000 people)') %] <a href="[% rss_feed_uri %]"> <img src='/i/feed.png' width='16' height='16' title='[% loc('RSS feed of nearby problems') %]' alt='[% loc('RSS feed') %]' border='0'></a> </p> diff --git a/templates/web/base/around/display_location.html b/templates/web/base/around/display_location.html index 3f4ec8881..defcc7b89 100755 --- a/templates/web/base/around/display_location.html +++ b/templates/web/base/around/display_location.html @@ -55,16 +55,16 @@ <p id='sub_map_links'> [% map_sub_links %] [% IF c.req.params.no_pins %] - <a id='hide_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => 0 } ) %]'>[% loc('Show pins') %]</a> + <a id='hide_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => 0 } ) %]">[% loc('Show pins') %]</a> [% ELSE %] - <a id='hide_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => 1 } ) %]'>[% loc('Hide pins') %]</a> + <a id='hide_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => 1 } ) %]">[% loc('Hide pins') %]</a> [% END %] [% IF c.cobrand.country == 'GB' || c.cobrand.country == 'NO' %] <span class="hidden">|</span> [% IF c.req.params.all_pins %] - <a id='all_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => undef, all_pins => undef } ) %]'>[% loc('Hide old') %]</a> + <a id='all_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => undef, all_pins => undef } ) %]">[% loc('Hide old') %]</a> [% ELSE %] - <a id='all_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => undef, all_pins => 1 } ) %]'>[% loc('Show old') %]</a> + <a id='all_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => undef, all_pins => 1 } ) %]">[% loc('Show old') %]</a> [% END %] [% END %] </p> diff --git a/templates/web/fixmystreet/alert/_list.html b/templates/web/fixmystreet/alert/_list.html index f376e3c66..8eada6315 100644 --- a/templates/web/fixmystreet/alert/_list.html +++ b/templates/web/fixmystreet/alert/_list.html @@ -19,7 +19,7 @@ <p id="rss_local"> <input type="radio" name="feed" id="[% rss_feed_id %]" value="[% rss_feed_id %]"[% IF rss_feed_id == selected_feed || selected_feed == '' %] checked[% END %]> <label class="inline" for="[% rss_feed_id %]">[% tprintf( loc('Problems within %.1fkm of this location'), population_radius ) %]</label> - <a href='[% rss_feed_uri %]'><img src='/i/feed.png' width='16' height='16' title='[% loc('RSS feed of nearby problems') %]' alt='[% loc('RSS feed') %]' border='0'></a> + <a href="[% rss_feed_uri %]"><img src='/i/feed.png' width='16' height='16' title='[% loc('RSS feed of nearby problems') %]' alt='[% loc('RSS feed') %]' border='0'></a> <br /> [% loc('(a default distance which covers roughly 200,000 people)') %] </p> diff --git a/templates/web/fixmystreet/header_opengraph.html b/templates/web/fixmystreet/header_opengraph.html index d0cd31261..8ea16ca2f 100644 --- a/templates/web/fixmystreet/header_opengraph.html +++ b/templates/web/fixmystreet/header_opengraph.html @@ -1,5 +1,5 @@ <meta property="og:url" content="[% c.cobrand.base_url %][% c.req.uri.path %]"> - <meta property="og:title" content="[% title || 'FixMyStreet' %]"> + <meta property="og:title" content="[% title || 'FixMyStreet' | html %]"> <meta property="og:site_name" content="[%- PROCESS 'site-name.html' -%]"> [% IF c.req.uri.path == '/' %]<meta property="og:description" content="Report, view, and discuss local street-related problems.">[% END %] <meta property="og:type" content="website"> |