Ralf Schlatterbeck added the comment: I've finally fixed this in roundup core, changeset is 24b8011cd2dc
Note that the bug as reported doesn't currently occur in roundup (even before my fix) as we currently don't issue error messages for non-existing properties used in sort/group clauses (they're simply ignored as we have search permissions for some time so it can always occur that a user may not search for a certain property in which case this property is ignored in sort/group and filter clauses). On the other hand it *is* asking for trouble to not escape error/ok messages so I've changed this in the templates and reworked the core code to not escape messages. This *needs* a change to the template. So if you apply only the patch to roundup core you're *more vulnerable than before*. Be sure to apply the patch to the template, see doc/upgrading.txt. I've committed the necessary changes to roundups own tracker but didn't dare to upgrade the whole install at bugs.python.org (although I do have access). I certainly am willing to help when someone else takes this job and needs/wants help. See roundups bug-report for this issue: http://issues.roundup-tracker.org/issue2550817 Ralf ---------- nosy: +runtux _______________________________________________________ PSF Meta Tracker <metatrac...@psf.upfronthosting.co.za> <http://psf.upfronthosting.co.za/roundup/meta/issue519> _______________________________________________________ _______________________________________________ Tracker-discuss mailing list Tracker-discuss@python.org https://mail.python.org/mailman/listinfo/tracker-discuss
