Description

If a page name contains a quote ('"'), RenamePage form does not display the original name correctly.

This may cause also XSS issues.

Steps to reproduce

  1. Try to rename this page

  2. The "rename to" box contains "MoinMoinBugs/RenamePage"

Expected: the rename to box should contain the original name.

Component selection

Details

1.3 and later.

Workaround

None.

Discussion

The problem is caused by adding the name without proper escaping:

moin-1.5.6, RenamePage.py line 66: 

            'pagename': self.pagename,

Should be: 

            'pagename': wikiutil.escape(self.pagename, 1),

Plan

CategoryMoinMoinBugFixed

MoinMoin: MoinMoinBugs/RenamePage"WithQuotes (last edited 2007-10-29 19:13:39 by localhost)