security-and-privacy/ldapcherry
security-and-privacy/ldapcherry
1
0
Fork 0
mirror of https://github.com/kakwa/ldapcherry synced 2025-07-15 14:08:31 +02:00
Code Releases Activity

Protect against XSS vulnerabilities in URL redirection

Browse source 
- Switch from base64 to URL encoding for the passing the URL, using the built-in Mako filtering
- Apply HTML filtering to Mako output by default
- Disable HTML filtering for nested templates in adduser, modify, and selfmodify
This commit is contained in:
John Thiltges 2019-01-02 14:31:10 -06:00
parent 1ed654c91b
commit 6f98076281
5 changed files with 24 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

4
resources/templates/adduser.tmpl
View file

@ -9,11 +9,11 @@
<form method='POST' autocomplete="off" action='/adduser' role="form" class="form-signin" id=form>
<fieldset>
<legend>Fill new user's attributes:</legend>
${form}
${form | n}
</fieldset>
<fieldset>
<legend>Enable/Disable user's roles:</legend>
${roles}
${roles | n}
</fieldset>
<div class="form-group">
<div class="input-group">