From: hernani <hernani@0cfe37f9-358a-4d5e-be75-b63607b5c754>
Date: Mon, 13 Sep 2010 22:00:42 +0000 (+0000)
Subject: Fixes OSQA 446 "Security - Multiple cross site scripting (XSS) vulnerabilities".
X-Git-Tag: live~540
X-Git-Url: https://git.openstreetmap.org./osqa.git/commitdiff_plain/0a2b0a2e41dade79cbe655ff1f123696c2a53149

Fixes OSQA 446 "Security - Multiple cross site scripting (XSS) vulnerabilities".

git-svn-id: http://svn.osqa.net/svnroot/osqa/trunk@594 0cfe37f9-358a-4d5e-be75-b63607b5c754
---

diff --git a/forum/feed.py b/forum/feed.py
index d91fc22..f404009 100644
--- a/forum/feed.py
+++ b/forum/feed.py
@@ -11,6 +11,7 @@ from django.utils.safestring import mark_safe
 from models import Question
 from forum import settings
 from forum.modules import decorate
+from forum.utils.pagination import generate_uri
 
 @decorate(add_domain, needs_origin=False)
 def add_domain(domain, url):
@@ -66,7 +67,7 @@ class BaseNodeFeed(Feed):
 
 class RssQuestionFeed(BaseNodeFeed):
     def __init__(self, request, question_list, title, description):
-        url = request.path + "&" + "&".join(["%s=%s" % (k, v) for k, v in request.GET.items() if not k in (_('page'), _('pagesize'), _('sort'))])
+        url = request.path + "&" + generate_uri(request.GET, (_('page'), _('pagesize'), _('sort')))
         super(RssQuestionFeed, self).__init__(request, title, description, url)
 
         self._question_list = question_list
diff --git a/forum/utils/pagination.py b/forum/utils/pagination.py
index c36ad2f..4a3ebd6 100644
--- a/forum/utils/pagination.py
+++ b/forum/utils/pagination.py
@@ -7,7 +7,7 @@ from django.http import Http404
 from django.utils.http import urlquote
 from django.utils.safestring import mark_safe
 from django.utils.html import strip_tags
-
+from forum.utils.html import sanitize_html
 import logging
 
 def generate_uri(querydict, exclude=None):
@@ -15,7 +15,7 @@ def generate_uri(querydict, exclude=None):
 
     for k, l in querydict.iterlists():
         if (not exclude) or (not k in exclude):
-            all += ["%s=%s" % (k, urlquote(v)) for v in l]
+            all += ["%s=%s" % (k, urlquote(strip_tags(v))) for v in l]
         
     return "&".join(all)
 
diff --git a/forum/views/readers.py b/forum/views/readers.py
index 1c4dfcc..e43567d 100644
--- a/forum/views/readers.py
+++ b/forum/views/readers.py
@@ -29,6 +29,7 @@ from forum.forms import get_next_url
 from forum.actions import QuestionViewAction
 from forum.http_responses import HttpResponseUnauthorized
 from forum.feed import RssQuestionFeed, RssAnswerFeed
+from forum.utils.pagination import generate_uri
 import decorators
 
 class HottestQuestionsSort(pagination.SortBase):
@@ -163,7 +164,7 @@ def question_list(request, initial,
     #answer_description = _("answers")
 
     if not feed_url:
-        req_params = "&".join(["%s=%s" % (k, v) for k, v in request.GET.items() if not k in (_('page'), _('pagesize'), _('sort'))])
+        req_params = "&".join(generate_uri(request.GET, (_('page'), _('pagesize'), _('sort'))))
         if req_params:
             req_params = '&' + req_params