couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From robertkowal...@apache.org
Subject fauxton commit: updated refs/heads/master to b26541c
Date Mon, 06 Oct 2014 14:52:13 GMT
Repository: couchdb-fauxton
Updated Branches:
  refs/heads/master dee7baa94 -> b26541cb6


Fix XSS issue

You could inject JS via the url callback:
/#noAccess?urlback="><script>alert(9)</script>


Project: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/commit/b26541cb
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/tree/b26541cb
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/diff/b26541cb

Branch: refs/heads/master
Commit: b26541cb650b9d69c64e3682261b3424b723704b
Parents: dee7baa
Author: Robert Kowalski <rok@kowalski.gd>
Authored: Mon Oct 6 16:50:10 2014 +0200
Committer: Robert Kowalski <rok@kowalski.gd>
Committed: Mon Oct 6 16:50:10 2014 +0200

----------------------------------------------------------------------
 app/addons/auth/templates/noAccess.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/blob/b26541cb/app/addons/auth/templates/noAccess.html
----------------------------------------------------------------------
diff --git a/app/addons/auth/templates/noAccess.html b/app/addons/auth/templates/noAccess.html
index ab2cf7f..689134c 100644
--- a/app/addons/auth/templates/noAccess.html
+++ b/app/addons/auth/templates/noAccess.html
@@ -16,6 +16,6 @@ the License.
   <h2>Access Denied</h2>
   <p>
     You do not have permission to view this page.<br />
-    You might need to <a href="#login<% if (urlBack){ %>?urlback=<%=urlBack%>
 <% } %> ">login</a>.
+    You might need to <a href="#login<% if (urlBack){ %>?urlback=<%-urlBack%>
<% } %> ">login</a>.
   </p>
-</div>
\ No newline at end of file
+</div>


Mime
View raw message