[#8536] improve safety
diff --git a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
index ccbd270..b65f797 100644
--- a/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
+++ b/Allura/allura/ext/personal_dashboard/templates/sections/projects.html
@@ -43,7 +43,7 @@
{%- endif -%}
<span class="project-info">
<a href="{{ project.url() }}">{{ project.name }}</a>
- {{ project.summary or ' '|safe }}
+ {{ project.summary or (' '|safe) }}
</span>
<span class="project-last-updated">
Last Updated:
@@ -71,4 +71,4 @@
$(this).hide().closest('.section-body').find('li.hidden').show();
});
</script>
-{% endblock %}
\ No newline at end of file
+{% endblock %}
diff --git a/Allura/allura/ext/user_profile/templates/sections/projects.html b/Allura/allura/ext/user_profile/templates/sections/projects.html
index e774111..3b306ec 100644
--- a/Allura/allura/ext/user_profile/templates/sections/projects.html
+++ b/Allura/allura/ext/user_profile/templates/sections/projects.html
@@ -43,7 +43,7 @@
{%- endif -%}
<span class="project-info">
<a href="{{project.url()}}">{{project.name}}</a>
- {{project.summary or ' '|safe}}
+ {{project.summary or (' '|safe)}}
</span>
<span class="project-last-updated">
Last Updated:
diff --git a/Allura/allura/lib/widgets/forms.py b/Allura/allura/lib/widgets/forms.py
index 134cd6f..65121ed 100644
--- a/Allura/allura/lib/widgets/forms.py
+++ b/Allura/allura/lib/widgets/forms.py
@@ -18,6 +18,7 @@
import logging
from html import escape as html_escape
+import html
from tg import app_globals as g, tmpl_context as c
from formencode import validators as fev
import formencode
@@ -616,7 +617,7 @@
text=cat.fullname,
href="/categories/%s" % cat.trove_cat_id),
ew.HTMLField(
- text=cat.shortname,
+ text=html.escape(cat.shortname),
attrs={'disabled': True, 'value': cat.shortname}),
ew.SubmitButton(
show_errors=False,
diff --git a/Allura/allura/templates/jinja_master/master.html b/Allura/allura/templates/jinja_master/master.html
index 72c03bc..6d0d829 100644
--- a/Allura/allura/templates/jinja_master/master.html
+++ b/Allura/allura/templates/jinja_master/master.html
@@ -173,7 +173,7 @@
{{ theme_macros.custom_js() }}
{% if flash %}
- <script type="text/javascript">{{ flash | safe }}</script>
+ <script type="text/javascript">{{ flash | safe }}</script>{# comes from flash.static_template in root.py and escaped by tg.flash allow_html setting #}
{% endif %}
<script>
$(document).ready(function () {
diff --git a/Allura/allura/templates_responsive/jinja_master/master.html b/Allura/allura/templates_responsive/jinja_master/master.html
index be68791..3786e2b 100644
--- a/Allura/allura/templates_responsive/jinja_master/master.html
+++ b/Allura/allura/templates_responsive/jinja_master/master.html
@@ -161,7 +161,7 @@
{% endif %}
{{ theme_macros.custom_js() }}
{% if flash %}
- <script type="text/javascript">{{ flash | safe }}</script>
+ <script type="text/javascript">{{ flash | safe }}</script>{# comes from flash.static_template in root.py and escaped by tg.flash allow_html setting #}
{% endif %}
</body>
</html>