Launchpad itself

InlineMultiCheckboxWidget renders unescaped items

Bug #741639 reported by William Grant
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Ian Booth
Launchpad itself 11.05

Bug Description

InlineMultiCheckboxWidget does this:

        <ul tal:condition="items">
              <li tal:condition="view/linkify_items"
                  tal:repeat="item items"
                  tal:content="structure item/fmt:link"/>
              <li tal:condition="not:view/linkify_items"
                  tal:repeat="item items"
                  tal:content="structure item"/>
        </ul>

While it's reasonable to expect fmt:link to be safe without escaping, it's not a sensible default to not escape items when linkify_items is false.

No current callsites are affected, but it's going to trip somebody over eventually.

Related branches

lp:~wallyworld/launchpad/multicheckboxwidget-unescaped-items
Robert Collins (community): Approve
William Grant (community): Approve (code*)
Diff: 12 lines (+1/-1)
1 file modified
lib/lp/app/templates/inline-multicheckbox-widget.pt (+1/-1)
Ian Booth (wallyworld)
Changed in launchpad:
assignee: nobody → Ian Booth (wallyworld)
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r12793 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/12793>.

Changed in launchpad:
milestone: none → 11.05
tags: added: qa-needstesting
Changed in launchpad:
status: Triaged → Fix Committed
William Grant (wgrant)
tags: added: qa-untestable
removed: qa-needstesting
Curtis Hovey (sinzui)
Changed in launchpad:
status: Fix Committed → Fix Released
William Grant (wgrant)
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.