mbirth/LuckyCoinkydink
1
0
Fork 0
Code Issues Pull Requests Activity

Escape version string in update notifier.

Browse Source 
Fixes #674.

Backported from master branch.

Signed-off-by: Thomas Hochstein <thh@inter.net>
This commit is contained in:
Thomas Hochstein 2020-03-20 19:05:31 +01:00
parent 307f1c3dad
commit 9709592b7c
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/NEWS
View File

@ -21,6 +21,8 @@ Version 2.3.3-beta1 ()
* Fix: Add valid HTTP referrer when trying to delete a * Fix: Add valid HTTP referrer when trying to delete a
* Fix: Escape version string in update notifier to avoid XSS.
* Fix: Prevent renaming a ML object into an existing file, * Fix: Prevent renaming a ML object into an existing file,
resulting in deletion of both from disk and database. resulting in deletion of both from disk and database.

2
templates/2k11/admin/overview.inc.tpl
View File

@ -30,7 +30,7 @@
<section id="dashboard_update"> <section id="dashboard_update">
<h3>{$CONST.UPDATE_NOTIFICATION}</h3> <h3>{$CONST.UPDATE_NOTIFICATION}</h3>
<span class="msg_notice"><span class="icon-info-circled" aria-hidden="true"></span> {$CONST.NEW_VERSION_AVAILABLE} {$curVersion}</span> <span class="msg_notice"><span class="icon-info-circled" aria-hidden="true"></span> {$CONST.NEW_VERSION_AVAILABLE} {$curVersion|escape}</span>
{$updateButton} {$updateButton}
</section> </section>
<hr class="separator"> <hr class="separator">