You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@whimsical.apache.org by ru...@apache.org on 2020/06/09 17:28:01 UTC
[whimsy] branch master updated: untaint templates
This is an automated email from the ASF dual-hosted git repository.
rubys pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git
The following commit(s) were added to refs/heads/master by this push:
new 3a0aa52 untaint templates
3a0aa52 is described below
commit 3a0aa52bebbcca75508ef983711df550db6483b3
Author: Sam Ruby <ru...@intertwingly.net>
AuthorDate: Tue Jun 9 13:27:45 2020 -0400
untaint templates
---
www/board/agenda/views/actions/reminder-text.json.rb | 2 +-
www/board/agenda/views/actions/send-reminders.json.rb | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/www/board/agenda/views/actions/reminder-text.json.rb b/www/board/agenda/views/actions/reminder-text.json.rb
index 7d3d4fc..ac6508f 100644
--- a/www/board/agenda/views/actions/reminder-text.json.rb
+++ b/www/board/agenda/views/actions/reminder-text.json.rb
@@ -25,7 +25,7 @@ view = {
}
# perform the substitution
-template = Mustache.render(template, view)
+template = Mustache.render(template.untaint, view)
# extract subject
subject = template[/Subject: (.*)/, 1]
diff --git a/www/board/agenda/views/actions/send-reminders.json.rb b/www/board/agenda/views/actions/send-reminders.json.rb
index 2acbbd8..a738061 100644
--- a/www/board/agenda/views/actions/send-reminders.json.rb
+++ b/www/board/agenda/views/actions/send-reminders.json.rb
@@ -44,8 +44,8 @@ Agenda.parse(@agenda, :full).each do |item|
}
# apply changes to both subject and the message text itself
- subject = Mustache.render(@subject, view)
- message = Mustache.render(@message, view)
+ subject = Mustache.render(@subject.untaint, view)
+ message = Mustache.render(@message.untaint, view)
# cc list
cclist = []