fileboard: fix possible XSS (mainly applicable to 8chan)

2024-11-24 07:30:10 +01:00 · 2015-04-23 03:45:08 +02:00 · 2015-04-23 03:45:08 +02:00 · 271dcb7a65
commit 271dcb7a65
parent b5370fd3e5
2 changed files with 2 additions and 2 deletions
--- a/templates/post_form.html
+++ b/templates/post_form.html
@ -98,7 +98,7 @@
 				<td>
 					<select name="tag">
 						{% for id, tag in config.allowed_tags %}
-							<option value="{{ id }}">{{ tag }}</option>
+							<option value="{{ id|e }}">{{ tag|e }}</option>
 						{% endfor %}
 					</select>
 				</td>
--- a/templates/post_thread_fileboard.html
+++ b/templates/post_thread_fileboard.html
@ -9,7 +9,7 @@
 <td>{% include 'post/name.html' %}
    {% include 'post/flag.html' %}
 <td>[<a href="{{ config.uri_img }}{{ post.files[0].file }}">{{ post.files[0].filename|e|bidi_cleanup }}</a>]
-<td>{% if post.modifiers['tag'] %}[{{ post.modifiers['tag'] }}]{% endif %}
+<td>{% if post.modifiers['tag'] %}[{{ post.modifiers['tag']|e }}]{% endif %}
 <td>{% include 'post/subject.html' %}
 	{% if post.sticky %}
 		{% if config.font_awesome %}