rhodecode-enterprise-ce Commit - r1828:20cd932d

security: fix self-xss inside the email add functionality.

ergo -

r1828:20cd932d default

parent child

rhodecode/apps/admin/views/users.py

0 +1 -2

                         h.flash(_("Added new email address `%s` for user account") % email,
                                 category='success')
                     except formencode.Invalid as error:
-                        msg = error.error_dict['email']
+                        h.flash(h.escape(error.error_dict['email']), category='error')
-                        h.flash(msg, category='error')
                     except Exception:
                         log.exception("Exception during email saving")
                         h.flash(_('An error occurred during email saving'),

rhodecode/apps/my_account/views.py

0 +1 -2

                         h.flash(_("Added new email address `%s` for user account") % email,
                                 category='success')
                     except formencode.Invalid as error:
-                        msg = error.error_dict['email']
+                        h.flash(h.escape(error.error_dict['email']), category='error')
-                        h.flash(msg, category='error')
                     except Exception:
                         log.exception("Exception in my_account_emails")
                         h.flash(_('An error occurred during email saving'),

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages