Project

General

Profile

Redmine 3.0.0 and 2.6.2 released ยป flash_message_xss_fix.patch

Jean-Philippe Lang, 2015-02-19 20:52

View differences:

trunk/app/controllers/admin_controller.rb (revision 14016)
51 51
        Redmine::DefaultData::Loader::load(params[:lang])
52 52
        flash[:notice] = l(:notice_default_data_loaded)
53 53
      rescue Exception => e
54
        flash[:error] = l(:error_can_t_load_default_data, e.message)
54
        flash[:error] = l(:error_can_t_load_default_data, ERB::Util.h(e.message))
55 55
      end
56 56
    end
57 57
    redirect_to admin_path
......
63 63
    ActionMailer::Base.raise_delivery_errors = true
64 64
    begin
65 65
      @test = Mailer.test_email(User.current).deliver
66
      flash[:notice] = l(:notice_email_sent, User.current.mail)
66
      flash[:notice] = l(:notice_email_sent, ERB::Util.h(User.current.mail))
67 67
    rescue Exception => e
68
      flash[:error] = l(:notice_email_error, Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup))
68
      flash[:error] = l(:notice_email_error, ERB::Util.h(Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup)))
69 69
    end
70 70
    ActionMailer::Base.raise_delivery_errors = raise_delivery_errors
71 71
    redirect_to settings_path(:tab => 'notifications')
trunk/app/controllers/account_controller.rb (revision 14016)
293 293
    token = Token.new(:user => user, :action => "register")
294 294
    if user.save and token.save
295 295
      Mailer.register(token).deliver
296
      flash[:notice] = l(:notice_account_register_done, :email => user.mail)
296
      flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail))
297 297
      redirect_to signin_path
298 298
    else
299 299
      yield if block_given?
    (1-1/1)