You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@couchdb.apache.org by ro...@apache.org on 2014/10/06 16:52:13 UTC

fauxton commit: updated refs/heads/master to b26541c

Repository: couchdb-fauxton
Updated Branches:
  refs/heads/master dee7baa94 -> b26541cb6


Fix XSS issue

You could inject JS via the url callback:
/#noAccess?urlback="><script>alert(9)</script>


Project: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/commit/b26541cb
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/tree/b26541cb
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/diff/b26541cb

Branch: refs/heads/master
Commit: b26541cb650b9d69c64e3682261b3424b723704b
Parents: dee7baa
Author: Robert Kowalski <ro...@kowalski.gd>
Authored: Mon Oct 6 16:50:10 2014 +0200
Committer: Robert Kowalski <ro...@kowalski.gd>
Committed: Mon Oct 6 16:50:10 2014 +0200

----------------------------------------------------------------------
 app/addons/auth/templates/noAccess.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-fauxton/blob/b26541cb/app/addons/auth/templates/noAccess.html
----------------------------------------------------------------------
diff --git a/app/addons/auth/templates/noAccess.html b/app/addons/auth/templates/noAccess.html
index ab2cf7f..689134c 100644
--- a/app/addons/auth/templates/noAccess.html
+++ b/app/addons/auth/templates/noAccess.html
@@ -16,6 +16,6 @@ the License.
   <h2>Access Denied</h2>
   <p>
     You do not have permission to view this page.<br />
-    You might need to <a href="#login<% if (urlBack){ %>?urlback=<%=urlBack%>  <% } %> ">login</a>.
+    You might need to <a href="#login<% if (urlBack){ %>?urlback=<%-urlBack%> <% } %> ">login</a>.
   </p>
-</div>
\ No newline at end of file
+</div>