Fixes OSQA 446 "Security - Multiple cross site scripting (XSS) vulner…

…abilities". git-svn-id: http://svn.osqa.net/svnroot/osqa/trunk@594 0cfe37f9-358a-4d5e-be75-b63607b5c754
justingrant · Sep 13, 2010 · 0a2b0a2 · 0a2b0a2
1 parent 548b04e
commit 0a2b0a2
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 4 deletions.
diff --git a/forum/feed.py b/forum/feed.py
@@ -11,6 +11,7 @@
 from models import Question
 from forum import settings
 from forum.modules import decorate
+from forum.utils.pagination import generate_uri
 
 @decorate(add_domain, needs_origin=False)
 def add_domain(domain, url):
@@ -66,7 +67,7 @@ def __call__(self, request):
 
 class RssQuestionFeed(BaseNodeFeed):
     def __init__(self, request, question_list, title, description):
-        url = request.path + "&" + "&".join(["%s=%s" % (k, v) for k, v in request.GET.items() if not k in (_('page'), _('pagesize'), _('sort'))])
+        url = request.path + "&" + generate_uri(request.GET, (_('page'), _('pagesize'), _('sort')))
         super(RssQuestionFeed, self).__init__(request, title, description, url)
 
         self._question_list = question_list

diff --git a/forum/utils/pagination.py b/forum/utils/pagination.py
@@ -7,15 +7,15 @@
 from django.utils.http import urlquote
 from django.utils.safestring import mark_safe
 from django.utils.html import strip_tags
-
+from forum.utils.html import sanitize_html
 import logging
 
 def generate_uri(querydict, exclude=None):
     all = []
 
     for k, l in querydict.iterlists():
         if (not exclude) or (not k in exclude):
-            all += ["%s=%s" % (k, urlquote(v)) for v in l]
+            all += ["%s=%s" % (k, urlquote(strip_tags(v))) for v in l]
 
     return "&".join(all)
 

diff --git a/forum/views/readers.py b/forum/views/readers.py
@@ -29,6 +29,7 @@
 from forum.actions import QuestionViewAction
 from forum.http_responses import HttpResponseUnauthorized
 from forum.feed import RssQuestionFeed, RssAnswerFeed
+from forum.utils.pagination import generate_uri
 import decorators
 
 class HottestQuestionsSort(pagination.SortBase):
@@ -163,7 +164,7 @@ def question_list(request, initial,
     #answer_description = _("answers")
 
     if not feed_url:
-        req_params = "&".join(["%s=%s" % (k, v) for k, v in request.GET.items() if not k in (_('page'), _('pagesize'), _('sort'))])
+        req_params = "&".join(generate_uri(request.GET, (_('page'), _('pagesize'), _('sort'))))
         if req_params:
             req_params = '&' + req_params