Description

security/antispam.py needs to escape the contents of the matched group when reporting that it can't save.

Steps to reproduce

1. Add a LocalBadContent pattern such as <a\s+href\s+ .

2. Enter a page that contains this pattern; the match is returned unescaped in the error page.

Component selection

• antispam.py

Details

Proposed patch:

amk@ximinez:/var/lib/python-support/python2.5/MoinMoin/security$ diff -u /home/amk/src/moin-1.7.1/MoinMoin/security/antispam.py /var/lib/python-support/python2.5/MoinMoin/security/antispam.py
--- /home/amk/src/moin-1.7.1/MoinMoin/security/antispam.py      2008-03-01 22:10:37.000000000 +0100
+++ /var/lib/python-support/python2.5/MoinMoin/security/antispam.py     2009-01-25 00:33:09.000000000 +0100
@@ -185,7 +185,7 @@
                         # Log error and raise SaveError, PageEditor should handle this.
                         _ = editor.request.getText
                         msg = _('Sorry, can not save page because "%(content)s" is not allowed in this wiki.') % {
-                                'content': match.group()
+                                'content': wikiutil.escape(match.group())
                               }
                         logging.info(msg)
                         raise editor.SaveError(msg)

A quick scan of the module didn't turn up any other messages that would obviously need similar changes. I'm using 1.7.1, but the bug seems to still be present in the current development sources.

Workaround

Discussion

Plan

• Priority:
• Assigned to:
• Status: fixed by

  • http://hg.moinmo.in/moin/1.7/rev/89b91bf87dad

  • http://hg.moinmo.in/moin/1.8/rev/89b91bf87dad

  • will be merged into 1.9 later

CategoryMoinMoinBugFixed