Commit 13f04563 authored by Tomas Hlavacek's avatar Tomas Hlavacek
Browse files

Fix XSS discovered by in the Whois code.

The whois code allowed to pass HTML from whois output to the resulting webpage
which would allow XSS on the page.

Remove Markup() call from the whois result display routine in order to allow
genshi to escape the whois output.
parent f54e1227
......@@ -724,7 +724,7 @@ class ULGCgi:
template = self.loader.load(defaults.whois_template_file)
res = whois.lookup(key)
return template.generate(result=Markup(res),
return template.generate(result=res,
).render('html', doctype='html', encoding='utf-8')
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment