From 7e408c874ac9b84f62bd48a3a6f2b57bae866d29 Mon Sep 17 00:00:00 2001 From: sterni Date: Fri, 15 Jan 2021 14:39:16 +0100 Subject: fix(panettone): escape value attr of inputs if dynamic content I checked all :value attributes in panettone.lisp and wrapped them with who:escape-string if its value comes from user-influenced places. Static values or values from panettone internals are left as is. I did not do a comprehensive check for other places where something similar could happen though. Fixes #92. Change-Id: I134acc0d2f025f173588b37c19a93589365e879b Reviewed-on: https://cl.tvl.fyi/c/depot/+/2401 Tested-by: BuildkiteCI Reviewed-by: glittershark --- web/panettone/src/panettone.lisp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/web/panettone/src/panettone.lisp b/web/panettone/src/panettone.lisp index bcf215d15828..aaf58bd1915e 100644 --- a/web/panettone/src/panettone.lisp +++ b/web/panettone/src/panettone.lisp @@ -147,7 +147,7 @@ (:form :method :post :action "/login" (:input :type "hidden" :name "original-uri" - :value original-uri) + :value (who:escape-string original-uri)) (:div (:label :for "username" "Username") @@ -251,7 +251,8 @@ :name "subject" :placeholder "Subject" :value (when editing - (subject issue)))) + (who:escape-string + (subject issue))))) (:div (:textarea :name "body" -- cgit 1.4.1