Redmine 3.0.0 and 2.6.2 released ยป flash_message_xss_fix.patch
trunk/app/controllers/admin_controller.rb (revision 14016) | ||
---|---|---|
51 | 51 |
Redmine::DefaultData::Loader::load(params[:lang]) |
52 | 52 |
flash[:notice] = l(:notice_default_data_loaded) |
53 | 53 |
rescue Exception => e |
54 |
flash[:error] = l(:error_can_t_load_default_data, e.message)
|
|
54 |
flash[:error] = l(:error_can_t_load_default_data, ERB::Util.h(e.message))
|
|
55 | 55 |
end |
56 | 56 |
end |
57 | 57 |
redirect_to admin_path |
... | ... | |
63 | 63 |
ActionMailer::Base.raise_delivery_errors = true |
64 | 64 |
begin |
65 | 65 |
@test = Mailer.test_email(User.current).deliver |
66 |
flash[:notice] = l(:notice_email_sent, User.current.mail)
|
|
66 |
flash[:notice] = l(:notice_email_sent, ERB::Util.h(User.current.mail))
|
|
67 | 67 |
rescue Exception => e |
68 |
flash[:error] = l(:notice_email_error, Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup))
|
|
68 |
flash[:error] = l(:notice_email_error, ERB::Util.h(Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup)))
|
|
69 | 69 |
end |
70 | 70 |
ActionMailer::Base.raise_delivery_errors = raise_delivery_errors |
71 | 71 |
redirect_to settings_path(:tab => 'notifications') |
trunk/app/controllers/account_controller.rb (revision 14016) | ||
---|---|---|
293 | 293 |
token = Token.new(:user => user, :action => "register") |
294 | 294 |
if user.save and token.save |
295 | 295 |
Mailer.register(token).deliver |
296 |
flash[:notice] = l(:notice_account_register_done, :email => user.mail)
|
|
296 |
flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail))
|
|
297 | 297 |
redirect_to signin_path |
298 | 298 |
else |
299 | 299 |
yield if block_given? |