Project

General

Profile

Download (3.71 KB)

Bug #5881 » 0002-fixes-5881-XSS-from-create-update-destroy-notificati.patch

Joseph Magen, 06/11/2014 01:19 PM

View differences:

app/controllers/application_controller.rb
end
def notice notice
flash[:notice] = notice
flash[:notice] = CGI::escapeHTML(notice)
end
def error error
flash[:error] = error
flash[:error] = CGI::escapeHTML(error)
end
def warning warning
flash[:warning] = warning
flash[:warning] = CGI::escapeHTML(warning)
end
# this method is used with nested resources, where obj_id is passed into the parameters hash.
......
hash[:error_msg] = [hash[:error_msg]].flatten
hash[:error_msg] = hash[:error_msg].join("<br/>")
if hash[:render]
flash.now[:error] = hash[:error_msg] unless hash[:error_msg].empty?
flash.now[:error] = CGI::escapeHTML(hash[:error_msg]) unless hash[:error_msg].empty?
render hash[:render]
return
elsif hash[:redirect]
app/controllers/concerns/foreman/controller/taxonomies_controller.rb
process_error
end
rescue Ancestry::AncestryException
flash[:error] = _('Cannot delete %{current} because it has nested %{sti_name}.') % { :current => @taxonomy.title, :sti_name => @taxonomy.sti_name }
process_error
process_error(:error_msg => _('Cannot delete %{current} because it has nested %{sti_name}.') % { :current => @taxonomy.title, :sti_name => @taxonomy.sti_name })
end
def select
app/controllers/hostgroups_controller.rb
process_error
end
rescue Ancestry::AncestryException
flash[:error] = _("Cannot delete group %{current} because it has nested groups.") % { :current => @hostgroup.title }
process_error
process_error(:error_msg => ("Cannot delete group %{current} because it has nested groups.") % { :current => @hostgroup.title } )
end
end
app/controllers/roles_controller.rb
def clone
@cloned_role = true
@original_role_id = @role.id
flash[:notice] = _("Role cloned from role %{old_name}") %
{ :old_name => @role.name }
notice(_("Role cloned from role %{old_name}") % { :old_name => @role.name })
@role = Role.new
render :action => :new
end
(2-2/4)