Merge pull request #2580 from marutosi/finn/relese/4.0/redmine-r14016

[XSS Vulnerability] Escape flash messages (#19117).
pull/2609/merge
Florian Kraft 10 years ago
commit 1a0964a479
  1. 6
      app/controllers/admin_controller.rb

@ -71,7 +71,7 @@ class AdminController < ApplicationController
Redmine::DefaultData::Loader::load(params[:lang])
flash[:notice] = l(:notice_default_data_loaded)
rescue Exception => e
flash[:error] = l(:error_can_t_load_default_data, e.message)
flash[:error] = l(:error_can_t_load_default_data, ERB::Util.h(e.message))
end
end
redirect_to :action => 'index'
@ -83,9 +83,9 @@ class AdminController < ApplicationController
ActionMailer::Base.raise_delivery_errors = true
begin
@test = UserMailer.test_mail(User.current).deliver
flash[:notice] = l(:notice_email_sent, User.current.mail)
flash[:notice] = l(:notice_email_sent, ERB::Util.h(User.current.mail))
rescue Exception => e
flash[:error] = l(:notice_email_error, e.message)
flash[:error] = l(:notice_email_error, ERB::Util.h(Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup)))
end
ActionMailer::Base.raise_delivery_errors = raise_delivery_errors
redirect_to :controller => '/settings', :action => 'edit', :tab => 'notifications'

Loading…
Cancel
Save