mbirth/LuckyCoinkydink
1
0
Fork 0
Code Issues Pull Requests Activity

* Fixes escaping of comments in the new backend pane to prevent

Browse Source 
XSS. Thanks to Steffen Röemann for reporting!
This commit is contained in:
garvinhicking 2014-12-23 11:10:53 +01:00
parent 91412bf73b
commit 36cde3030a
3 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/NEWS
View File

@ -1,5 +1,11 @@
#
Version 2.0-rc2 (December 23rd, 2014)
------------------------------------------------------------------------
* Fixes escaping of comments in the new backend pane to prevent
XSS. Thanks to Steffen Röemann for reporting!
Version 2.0-rc1 (includes beta4/5/6) (December 19th, 2014)
------------------------------------------------------------------------

2
serendipity_config.inc.php
View File

@ -44,7 +44,7 @@ if (defined('USE_MEMSNAP')) {
}
// The version string
$serendipity['version'] = '2.0-rc1';
$serendipity['version'] = '2.0-rc2';
// Setting this to 'false' will enable debugging output. All alpha/beta/cvs snapshot versions will emit debug information by default. To increase the debug level (to enable Smarty debugging), set this flag to 'debug'.

4
templates/2k11/admin/overview.inc.tpl
View File

@ -39,9 +39,9 @@
{if is_array($comments)}
{foreach $comments as $comment}
<li class="clearfix"><b>{$comment.author|escape|truncate:30:"&hellip;"} {$CONST.IN} <a href="{$comment.entrylink}" title="Comment to {$comment.title}">#{$comment.id}</a></b>
<div class="comment_summary">{$comment.body|truncate:100:"&hellip;"}</div>
<div class="comment_summary">{$comment.body|escape|truncate:100:"&hellip;"}</div>
<div id="c{$comment.id}_full" class="comment_full additional_info">{$comment.fullBody}</div>
<div id="c{$comment.id}_full" class="comment_full additional_info">{$comment.fullBody|escape}</div>
<ul class="plainList actions">
<li><a class="button_link" href="?serendipity[action]=admin&amp;serendipity[adminModule]=comments&amp;serendipity[adminAction]=edit&amp;serendipity[id]={$comment.id}&amp;serendipity[entry_id]={$comment.entry_id}&amp;{$urltoken}" title="{$CONST.EDIT}"><span class="icon-edit"></span><span class="visuallyhidden"> {$CONST.EDIT}</span></a></li>