Commit 85b51984 authored by HERBERT Ryan's avatar HERBERT Ryan

controllers/notification.py, views/notification/info.html ensured dangerous...

controllers/notification.py, views/notification/info.html ensured dangerous content is properly escaped on input so that markdown can be properly rendered without a risk of XSS
parent 2ba8ff67
......@@ -59,7 +59,7 @@ def add_form():
if error=="" :
id = db.notification.insert(title=request.vars["title"],
message_content=xmlescape(request.vars["message_content"]),
message_content=XML(request.vars["message_content"], sanitize=True).xml(),
message_type=request.vars["message_type"],
priority=request.vars["priority"],
expiration=request.vars["expiration"],
......@@ -109,7 +109,7 @@ def edit_form():
if error=="" :
db.notification[request.vars['id']] = dict(title=request.vars["title"],
message_content=xmlescape(request.vars["message_content"]),
message_content=XML(request.vars["message_content"], sanitize=True).xml(),
message_type=request.vars["message_type"],
priority=request.vars["priority"],
expiration=request.vars["expiration"])
......
......@@ -4,5 +4,5 @@
<h3>{{=query.title}}</h3>
<div class="db_block">
{{=XML(markdown(query.message_content), sanitize=True)}}
{{=XML(markdown(query.message_content))}}
</div>
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment