Defect #19117 ยป 0001-Fix-potential-XSS-in-flash-rendering.patch
| app/controllers/account_controller.rb | ||
|---|---|---|
| 293 | 293 |
token = Token.new(:user => user, :action => "register") |
| 294 | 294 |
if user.save and token.save |
| 295 | 295 |
Mailer.register(token).deliver |
| 296 |
flash[:notice] = l(:notice_account_register_done, :email => user.mail)
|
|
| 296 |
flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail))
|
|
| 297 | 297 |
redirect_to signin_path |
| 298 | 298 |
else |
| 299 | 299 |
yield if block_given? |
| app/controllers/admin_controller.rb | ||
|---|---|---|
| 51 | 51 |
Redmine::DefaultData::Loader::load(params[:lang]) |
| 52 | 52 |
flash[:notice] = l(:notice_default_data_loaded) |
| 53 | 53 |
rescue Exception => e |
| 54 |
flash[:error] = l(:error_can_t_load_default_data, e.message)
|
|
| 54 |
flash[:error] = l(:error_can_t_load_default_data, ERB::Util.h(e.message))
|
|
| 55 | 55 |
end |
| 56 | 56 |
end |
| 57 | 57 |
redirect_to admin_path |
| ... | ... | |
| 63 | 63 |
ActionMailer::Base.raise_delivery_errors = true |
| 64 | 64 |
begin |
| 65 | 65 |
@test = Mailer.test_email(User.current).deliver |
| 66 |
flash[:notice] = l(:notice_email_sent, User.current.mail)
|
|
| 66 |
flash[:notice] = l(:notice_email_sent, ERB::Util.h(User.current.mail))
|
|
| 67 | 67 |
rescue Exception => e |
| 68 |
flash[:error] = l(:notice_email_error, Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup))
|
|
| 68 |
flash[:error] = l(:notice_email_error, ERB::Util.h(Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup)))
|
|
| 69 | 69 |
end |
| 70 | 70 |
ActionMailer::Base.raise_delivery_errors = raise_delivery_errors |
| 71 | 71 |
redirect_to settings_path(:tab => 'notifications') |
| 72 |
- |
|