Fix two XSS vulnerabilities.

The title in the OpenGraph header was not being properly escaped, and the hide pins/all pins links were using single quotes which were able to be broken out of. Also remove the single quotes around rss_feed_uri, though this is not a vulnerability as its contents were sanitised (postcode or co-ords).
mysociety · Jul 6, 2016 · c9dc13d · c9dc13d
1 parent a060d03
commit c9dc13d
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/templates/web/base/alert/_list.html b/templates/web/base/alert/_list.html
@@ -20,7 +20,7 @@
   <p id="rss_local">
     <input type="radio" name="feed" id="[% rss_feed_id %]" value="[% rss_feed_id %]"[% IF rss_feed_id == selected_feed || selected_feed == '' %] checked[% END %]>
     <label class="inline" for="[% rss_feed_id %]">[% tprintf( loc('Problems within %.1fkm of this location'), population_radius ) %]</label>
-    <a href='[% rss_feed_uri %]'><img src='/i/feed.png' width='16' height='16' title='[% loc('RSS feed of nearby problems') %]' alt='[% loc('RSS feed') %]' border='0'></a>
+    <a href="[% rss_feed_uri %]"><img src='/i/feed.png' width='16' height='16' title='[% loc('RSS feed of nearby problems') %]' alt='[% loc('RSS feed') %]' border='0'></a>
     <br />
     [% loc('(a default distance which covers roughly 200,000 people)') %]
   </p>

diff --git a/templates/web/base/around/display_location.html b/templates/web/base/around/display_location.html
@@ -55,16 +55,16 @@
         <p id='sub_map_links'>
             [% map_sub_links %]
             [% IF c.req.params.no_pins %]
-                <a id='hide_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => 0 } ) %]'>[% loc('Show pins') %]</a>
+                <a id='hide_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => 0 } ) %]">[% loc('Show pins') %]</a>
             [% ELSE %]
-                <a id='hide_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => 1 } ) %]'>[% loc('Hide pins') %]</a>
+                <a id='hide_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => 1 } ) %]">[% loc('Hide pins') %]</a>
             [% END %]
             [% IF c.cobrand.country == 'GB' || c.cobrand.country == 'NO' %]
                 <span class="hidden">|</span>
                 [% IF c.req.params.all_pins %]
-                    <a id='all_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => undef, all_pins => undef } ) %]'>[% loc('Hide old') %]</a>
+                    <a id='all_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => undef, all_pins => undef } ) %]">[% loc('Hide old') %]</a>
                 [% ELSE %]
-                    <a id='all_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => undef, all_pins => 1 } ) %]'>[% loc('Show old') %]</a>
+                    <a id='all_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => undef, all_pins => 1 } ) %]">[% loc('Show old') %]</a>
                 [% END %]
             [% END %]
         </p>

diff --git a/templates/web/base/header_opengraph.html b/templates/web/base/header_opengraph.html
@@ -1,5 +1,5 @@
         <meta property="og:url" content="[% c.cobrand.base_url %][% c.req.uri.path %]">
-        <meta property="og:title" content="[% title || site_name %]">
+        <meta property="og:title" content="[% title || site_name | html %]">
         <meta property="og:site_name" content="[% site_name %]">
         [% IF c.req.uri.path == '/' %]<meta property="og:description" content="Report, view, and discuss local street-related problems.">[% END %]
         <meta property="og:type" content="website">