Repository: couchdb-fauxton Updated Branches: refs/heads/master dee7baa94 -> b26541cb6
Fix XSS issue You could inject JS via the url callback: /#noAccess?urlback="><script>alert(9)</script> Project: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/repo Commit: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/commit/b26541cb Tree: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/tree/b26541cb Diff: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/diff/b26541cb Branch: refs/heads/master Commit: b26541cb650b9d69c64e3682261b3424b723704b Parents: dee7baa Author: Robert Kowalski <[email protected]> Authored: Mon Oct 6 16:50:10 2014 +0200 Committer: Robert Kowalski <[email protected]> Committed: Mon Oct 6 16:50:10 2014 +0200 ---------------------------------------------------------------------- app/addons/auth/templates/noAccess.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/blob/b26541cb/app/addons/auth/templates/noAccess.html ---------------------------------------------------------------------- diff --git a/app/addons/auth/templates/noAccess.html b/app/addons/auth/templates/noAccess.html index ab2cf7f..689134c 100644 --- a/app/addons/auth/templates/noAccess.html +++ b/app/addons/auth/templates/noAccess.html @@ -16,6 +16,6 @@ the License. <h2>Access Denied</h2> <p> You do not have permission to view this page.<br /> - You might need to <a href="#login<% if (urlBack){ %>?urlback=<%=urlBack%> <% } %> ">login</a>. + You might need to <a href="#login<% if (urlBack){ %>?urlback=<%-urlBack%> <% } %> ">login</a>. </p> -</div> \ No newline at end of file +</div>
