mbirth/LuckyCoinkydink
1
0
Fork 0
Code Issues Pull Requests Activity

Merge pull request #678 from th-h/master

Browse Source 
Escape version string in update notifier.
This commit is contained in:
Thomas Hochstein 2020-03-20 19:08:46 +01:00 committed by GitHub
commit 2a58548bd3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/NEWS
View File

@ -1,6 +1,8 @@
Version 2.4-alpha1 ()
------------------------------------------------------------------------
* Fix: Escape version string in update notifier to avoid XSS.
* Fix: Prevent renaming a ML object into an existing file,
resulting in deletion of both from disk and database.

4
templates/2k11/admin/overview.inc.tpl
View File

@ -30,7 +30,7 @@
<section id="dashboard_update">
<h3>{$CONST.UPDATE_NOTIFICATION}</h3>
<span class="msg_notice"><span class="icon-info-circled" aria-hidden="true"></span> {$CONST.NEW_VERSION_AVAILABLE} {$curVersion}</span>
<span class="msg_notice"><span class="icon-info-circled" aria-hidden="true"></span> {$CONST.NEW_VERSION_AVAILABLE} {$curVersion|escape}</span>
{$updateButton}
</section>
<hr class="separator">
@ -41,7 +41,7 @@
<section id="dashboard_plugin_updates">
<h3>{$CONST.UPDATE_NOTIFICATION}</h3>
<span class="msg_notice"><span class="icon-info-circled" aria-hidden="true"></span> {$pluginUpdates}</span>
<span class="msg_notice"><span class="icon-info-circled" aria-hidden="true"></span> {$pluginUpdates|escape}</span>
</section>
<hr class="separator">
{/if}