This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch db/8536
in repository https://gitbox.apache.org/repos/asf/allura.git
commit dd6f57588365a2a6282efa863647c8620ea5c8e8
Author: Dave Brondsema <dbronds...@slashdotmedia.com>
AuthorDate: Fri Feb 9 16:17:26 2024 -0500
[#8536] improve safety
---
Allura/allura/ext/personal_dashboard/templates/sections/projects.html | 4 ++--
Allura/allura/ext/user_profile/templates/sections/projects.html | 2 +-
Allura/allura/lib/widgets/forms.py | 3 ++-
Allura/allura/templates/jinja_master/master.html | 2 +-
Allura/allura/templates_responsive/jinja_master/master.html | 2 +-
5 files changed, 7 insertions(+), 6 deletions(-)
diff --git
a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
index ccbd270a3..b65f7971d 100644
--- a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
+++ b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
@@ -43,7 +43,7 @@
{%- endif -%}
<span class="project-info">
<a href="{{ project.url() }}">{{ project.name }}</a>
- {{ project.summary or ' '|safe }}
+ {{ project.summary or (' '|safe) }}
</span>
<span class="project-last-updated">
Last Updated:
@@ -71,4 +71,4 @@
$(this).hide().closest('.section-body').find('li.hidden').show();
});
</script>
-{% endblock %}
\ No newline at end of file
+{% endblock %}
diff --git a/Allura/allura/ext/user_profile/templates/sections/projects.html
b/Allura/allura/ext/user_profile/templates/sections/projects.html
index e774111d6..3b306ec8d 100644
--- a/Allura/allura/ext/user_profile/templates/sections/projects.html
+++ b/Allura/allura/ext/user_profile/templates/sections/projects.html
@@ -43,7 +43,7 @@
{%- endif -%}
<span class="project-info">
<a href="{{project.url()}}">{{project.name}}</a>
- {{project.summary or ' '|safe}}
+ {{project.summary or (' '|safe)}}
</span>
<span class="project-last-updated">
Last Updated:
diff --git a/Allura/allura/lib/widgets/forms.py
b/Allura/allura/lib/widgets/forms.py
index 134cd6f40..65121ed5c 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widgets/forms.py
@@ -18,6 +18,7 @@
import logging
from html import escape as html_escape
+import html
from tg import app_globals as g, tmpl_context as c
from formencode import validators as fev
import formencode
@@ -616,7 +617,7 @@ class RemoveTroveCategoryForm(ForgeForm):
text=cat.fullname,
href="/categories/%s" % cat.trove_cat_id),
ew.HTMLField(
- text=cat.shortname,
+ text=html.escape(cat.shortname),
attrs={'disabled': True, 'value': cat.shortname}),
ew.SubmitButton(
show_errors=False,
diff --git a/Allura/allura/templates/jinja_master/master.html
b/Allura/allura/templates/jinja_master/master.html
index 72c03bc2d..6d0d829c1 100644
--- a/Allura/allura/templates/jinja_master/master.html
+++ b/Allura/allura/templates/jinja_master/master.html
@@ -173,7 +173,7 @@
{{ theme_macros.custom_js() }}
{% if flash %}
- <script type="text/javascript">{{ flash | safe }}</script>
+ <script type="text/javascript">{{ flash | safe }}</script>{# comes from
flash.static_template in root.py and escaped by tg.flash allow_html setting #}
{% endif %}
<script>
$(document).ready(function () {
diff --git a/Allura/allura/templates_responsive/jinja_master/master.html
b/Allura/allura/templates_responsive/jinja_master/master.html
index be687919c..3786e2b88 100644
--- a/Allura/allura/templates_responsive/jinja_master/master.html
+++ b/Allura/allura/templates_responsive/jinja_master/master.html
@@ -161,7 +161,7 @@
{% endif %}
{{ theme_macros.custom_js() }}
{% if flash %}
- <script type="text/javascript">{{ flash | safe }}</script>
+ <script type="text/javascript">{{ flash | safe }}</script>{# comes from
flash.static_template in root.py and escaped by tg.flash allow_html setting #}
{% endif %}
</body>
</html>
