[#5596] Fixed missed unsafe interpolation
Signed-off-by: Cory Johns <johnsca@geek.net>
diff --git a/Allura/allura/model/discuss.py b/Allura/allura/model/discuss.py
index 41c44ce..7c263cd 100644
--- a/Allura/allura/model/discuss.py
+++ b/Allura/allura/model/discuss.py
@@ -502,13 +502,6 @@
def primary(self):
return self.thread.primary()
- def summary(self):
- # XXX XSS security hole here: display_name can be manipulated to
- # contain unescaped HTML, opening a potential XSS attack
- return '<a href="%s">%s</a> %s' % (
- self.author().url(), self.author().get_pref('display_name'),
- h.ago(self.timestamp))
-
def url(self):
if self.thread:
return self.thread.url() + h.urlquote(self.slug) + '/'
diff --git a/Allura/allura/tests/model/test_discussion.py b/Allura/allura/tests/model/test_discussion.py
index 298c554..a31f043 100644
--- a/Allura/allura/tests/model/test_discussion.py
+++ b/Allura/allura/tests/model/test_discussion.py
@@ -131,7 +131,6 @@
assert p.parent is None
assert p.subject == 'Test Thread'
assert p.attachments.count() == 0
- assert 'Test Admin' in p.summary()
assert 'wiki/_discuss' in p.url()
assert p.reply_subject() == 'Re: Test Thread'
assert p.link_text() == p.subject
