[pve-devel] r5743 - in pve-manager/trunk: . debian lib/PVE

svn-commits at proxmox.com svn-commits at proxmox.com
Wed Mar 23 08:07:26 CET 2011 

Author: dietmar
Date: 2011-03-23 08:07:26 +0100 (Wed, 23 Mar 2011)
New Revision: 5743

Modified:
   pve-manager/trunk/ChangeLog
   pve-manager/trunk/debian/changelog.Debian
   pve-manager/trunk/lib/PVE/HTMLForm.pm
Log:


Modified: pve-manager/trunk/ChangeLog
===================================================================
--- pve-manager/trunk/ChangeLog	2011-03-23 06:52:28 UTC (rev 5742)
+++ pve-manager/trunk/ChangeLog	2011-03-23 07:07:26 UTC (rev 5743)
@@ -1,6 +1,8 @@
 2011-03-23  Proxmox Support Team  <support at proxmox.com>
 
 	* lib/PVE/HTMLForm.pm (create_footer): add anti CSRF token
+	(create_element): encode html correctly (avoid Persistant XSS
+	vulnerabilities).
 
 	* lib/PVE/HTMLDropDown.pm (add_item): add anti CSRF token
 

Modified: pve-manager/trunk/debian/changelog.Debian
===================================================================
--- pve-manager/trunk/debian/changelog.Debian	2011-03-23 06:52:28 UTC (rev 5742)
+++ pve-manager/trunk/debian/changelog.Debian	2011-03-23 07:07:26 UTC (rev 5743)
@@ -1,6 +1,9 @@
 pve-manager (1.8-14) unstable; urgency=low
 
   * protect against Cross Site Request Forgery (added anti-CSRF tokens)
+  
+  * correctly encode html entities inside notes (avoid persistant XSS
+    vulnerabilities).
 
  -- Proxmox Support Team <support at proxmox.com>  Wed, 23 Mar 2011 07:49:34 +0100
 

Modified: pve-manager/trunk/lib/PVE/HTMLForm.pm
===================================================================
--- pve-manager/trunk/lib/PVE/HTMLForm.pm	2011-03-23 06:52:28 UTC (rev 5742)
+++ pve-manager/trunk/lib/PVE/HTMLForm.pm	2011-03-23 07:07:26 UTC (rev 5743)
@@ -118,7 +118,7 @@
     elsif ($type eq "textarea") {
 	my $rows = $opt || 4;
 	my $rh = int ($rows*int(1.2*12+1));
-	$out .= "<textarea class='$class' name=$name style='width:${innerwidth}px;height:${rh}px;' ROWS=$rows>$value</textarea>";
+	$out .= "<textarea class='$class' name=$name style='width:${innerwidth}px;height:${rh}px;' ROWS=$rows>$encvalue</textarea>";
     } 
     elsif ($type eq "viewonly") {
 	$out .= "<input $widthstr disabled class='$class' readonly type='text' value='$encvalue'></input>";

More information about the pve-devel mailing list