Skip to content

Commit

Permalink
Merge pull request #33 from UKGovLD/fix/181-xss
Browse files Browse the repository at this point in the history 
Fix/181 xss
  • Loading branch information
@der
der authored Mar 10, 2023
2 parents 3613276 + 3b36df1 commit 0492117
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 8 deletions.
2 changes: 1 addition & 1 deletion ldregistry/templates/actions/create-redirect-page.vm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
<div class="col-md-10 col-md-offset-1 modal-page-panel">

<div class="modal-page-head">
<h3>$msg.get('redirect.heading', $entity)</h3>
<h3>$msg.get('redirect.heading', $lib.reg.xssCleanHTML($entity))</h3>
</div>

<div class="modal-page-body">
Expand Down
12 changes: 5 additions & 7 deletions ldregistry/templates/login.vm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,6 @@
#set( $lroot = $root )
#end

#set( $return = $lib.reg.xssCleanURI($return) )

<div class="modal-page container">
<div class="row">
<div class="col-md-12 modal-page-panel">
Expand Down Expand Up @@ -50,7 +48,7 @@
<input type="password" class="form-control" id="password1" name="password" placeholder="$msg['user.password.label']">
</div>
</div>
<input type="hidden" name="return" value="$return" />
<input type="hidden" name="return" value="$lib.reg.xssCleanHTMLAtribute($return)" />
<div class="form-group">
<div class="col-md-offset-1 col-md-10">
<button type="submit" class="btn btn-default">$msg['login.button']</button>
Expand All @@ -66,7 +64,7 @@
<p>$msg['login.oauth.note']</p>
#end
#foreach($provider in $oauthProviders)
#oauthLogin($provider, $return)
#oauthLogin($provider, $lib.reg.xssCleanHTMLAtribute($return))
#end
</div>
</div>
Expand Down Expand Up @@ -99,7 +97,7 @@
<input type="password" class="form-control" id="password2" name="password" placeholder="$msg['user.password.label']">
</div>
</div>
<input type="hidden" name="return" value="$return" />
<input type="hidden" name="return" value="$lib.reg.xssCleanHTMLAtribute($return)" />
<div class="form-group">
<div class="col-md-offset-1 col-md-10">
<button type="submit" class="btn btn-default">$msg['login.register.button']</button>
Expand All @@ -114,7 +112,7 @@
<p>$msg['login.register.oauth']</p>
#end
#foreach($provider in $oauthProviders)
#oauthRegister($provider, $return)
#oauthRegister($provider, $lib.reg.xssCleanHTMLAtribute($return))
#end
</div>
</div>
Expand All @@ -134,7 +132,7 @@
<div class="modal-page-footer">
<div class="row">
<div class="col-md-offset-10 col-md-1">
<a href="#if($return)$return#else$root#end" class="btn">$msg['ui.close']</a>
<a href="#if($return)$lib.reg.xssCleanURI($return)#else$root#end" class="btn">$msg['ui.close']</a>
</div>
</div>
</div>
Expand Down

0 comments on commit 0492117

Please sign in to comment.