mirror of
https://github.com/postfixadmin/postfixadmin.git
synced 2024-09-20 03:36:20 +02:00
e3b242e4d8
- html-escape flash_info() / flash_error() messages to fix XSS if the message contains user-supplied input (thanks to Filippo Cavallarin for the report) Note: This will cause ugly output for some german error messages which contain ü etc., and the warning message in backup.php (with some HTML tags included) will also look totally ugly. Nevertheless, that's still better than XSS attacks ;-) git-svn-id: https://svn.code.sf.net/p/postfixadmin/code/trunk@1331 a1433add-5e2c-0410-b055-b7f2511e0802
21 lines
506 B
Smarty
21 lines
506 B
Smarty
<!-- {$smarty.template} -->
|
|
<br clear="all"/><br />
|
|
{strip}
|
|
{if isset($smarty.session.flash)}
|
|
{if isset($smarty.session.flash.info)}
|
|
<ul class="flash-info">
|
|
{foreach from=$smarty.session.flash.info item=msg}
|
|
<li>{$msg|escape:html}</li>
|
|
{/foreach}
|
|
</ul>
|
|
{/if}
|
|
{if isset($smarty.session.flash.error)}
|
|
<ul class="flash-error">
|
|
{foreach from=$smarty.session.flash.error item=msg}
|
|
<li>{$msg|escape:html}</li>
|
|
{/foreach}
|
|
</ul>
|
|
{/if}
|
|
{/if}
|
|
{/strip}
|