From c9dc13d3c966abc11203bfb18404d8a40e795b3b Mon Sep 17 00:00:00 2001
From: Matthew Somerville <matthew-github@dracos.co.uk>
Date: Wed, 6 Jul 2016 12:16:33 +0100
Subject: [PATCH] Fix two XSS vulnerabilities.

The title in the OpenGraph header was not being properly escaped, and
the hide pins/all pins links were using single quotes which were able
to be broken out of.

Also remove the single quotes around rss_feed_uri, though this is not
a vulnerability as its contents were sanitised (postcode or co-ords).
---
 templates/web/base/alert/_list.html             | 2 +-
 templates/web/base/around/display_location.html | 8 ++++----
 templates/web/base/header_opengraph.html        | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/templates/web/base/alert/_list.html b/templates/web/base/alert/_list.html
index 65bba2fed84..f94ce84f83d 100644
--- a/templates/web/base/alert/_list.html
+++ b/templates/web/base/alert/_list.html
@@ -20,7 +20,7 @@
   <p id="rss_local">
     <input type="radio" name="feed" id="[% rss_feed_id %]" value="[% rss_feed_id %]"[% IF rss_feed_id == selected_feed || selected_feed == '' %] checked[% END %]>
     <label class="inline" for="[% rss_feed_id %]">[% tprintf( loc('Problems within %.1fkm of this location'), population_radius ) %]</label>
-    <a href='[% rss_feed_uri %]'><img src='/i/feed.png' width='16' height='16' title='[% loc('RSS feed of nearby problems') %]' alt='[% loc('RSS feed') %]' border='0'></a>
+    <a href="[% rss_feed_uri %]"><img src='/i/feed.png' width='16' height='16' title='[% loc('RSS feed of nearby problems') %]' alt='[% loc('RSS feed') %]' border='0'></a>
     <br />
     [% loc('(a default distance which covers roughly 200,000 people)') %]
   </p>
diff --git a/templates/web/base/around/display_location.html b/templates/web/base/around/display_location.html
index 7c54f4b7614..b2e578d3f7f 100755
--- a/templates/web/base/around/display_location.html
+++ b/templates/web/base/around/display_location.html
@@ -55,16 +55,16 @@
         <p id='sub_map_links'>
             [% map_sub_links %]
             [% IF c.req.params.no_pins %]
-                <a id='hide_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => 0 } ) %]'>[% loc('Show pins') %]</a>
+                <a id='hide_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => 0 } ) %]">[% loc('Show pins') %]</a>
             [% ELSE %]
-                <a id='hide_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => 1 } ) %]'>[% loc('Hide pins') %]</a>
+                <a id='hide_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => 1 } ) %]">[% loc('Hide pins') %]</a>
             [% END %]
             [% IF c.cobrand.country == 'GB' || c.cobrand.country == 'NO' %]
                 <span class="hidden">|</span>
                 [% IF c.req.params.all_pins %]
-                    <a id='all_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => undef, all_pins => undef } ) %]'>[% loc('Hide old') %]</a>
+                    <a id='all_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => undef, all_pins => undef } ) %]">[% loc('Hide old') %]</a>
                 [% ELSE %]
-                    <a id='all_pins_link' rel='nofollow' href='[% c.uri_with( { no_pins => undef, all_pins => 1 } ) %]'>[% loc('Show old') %]</a>
+                    <a id='all_pins_link' rel='nofollow' href="[% c.uri_with( { no_pins => undef, all_pins => 1 } ) %]">[% loc('Show old') %]</a>
                 [% END %]
             [% END %]
         </p>
diff --git a/templates/web/base/header_opengraph.html b/templates/web/base/header_opengraph.html
index f728d083fa1..6b2c8ff46ae 100644
--- a/templates/web/base/header_opengraph.html
+++ b/templates/web/base/header_opengraph.html
@@ -1,5 +1,5 @@
         <meta property="og:url" content="[% c.cobrand.base_url %][% c.req.uri.path %]">
-        <meta property="og:title" content="[% title || site_name %]">
+        <meta property="og:title" content="[% title || site_name | html %]">
         <meta property="og:site_name" content="[% site_name %]">
         [% IF c.req.uri.path == '/' %]<meta property="og:description" content="Report, view, and discuss local street-related problems.">[% END %]
         <meta property="og:type" content="website">