[dw-free] http://bugs.dwscoalition.org/show_bug.cgi?id=3594

[fu]

[commit: http://hg.dwscoalition.org/dw-free/rev/c87f305f2961]

http://bugs.dwscoalition.org/show_bug.cgi?id=3594

Escape all HTML from the returnto URLs.

Patch by fu.

Files modified:

• cgi-bin/LJ/Widget/Login.pm
• schemes/common.tt

--------------------------------------------------------------------------------
diff -r 1990cc16e9d4 -r c87f305f2961 cgi-bin/LJ/Widget/Login.pm
--- a/cgi-bin/LJ/Widget/Login.pm	Wed Apr 20 10:53:12 2011 +0800
+++ b/cgi-bin/LJ/Widget/Login.pm	Wed Apr 20 11:04:34 2011 +0800
@@ -66,7 +66,7 @@ sub render_body {
     }
 
     if ($opts{returnto}) {
-        $ret .= LJ::html_hidden('returnto', $opts{returnto});
+        $ret .= LJ::html_hidden('returnto', LJ::ehtml($opts{returnto}));
     }
 
     my $hook_rv = LJ::Hooks::run_hook("login_form_$opts{mode}", create_link => $opts{create_link});
@@ -153,7 +153,7 @@ sub render_body {
 
     # Save offsite redirect uri between POSTs
     my $redir = $opts{get_ret} || $opts{post_ret};
-    $ret .= LJ::html_hidden('ret', $redir) if $redir && $redir != 1;
+    $ret .= LJ::html_hidden('ret', LJ::ehtml($redir)) if $redir && $redir != 1;
 
     $ret .= "</form>\n";
 
diff -r 1990cc16e9d4 -r c87f305f2961 schemes/common.tt
--- a/schemes/common.tt	Wed Apr 20 10:53:12 2011 +0800
+++ b/schemes/common.tt	Wed Apr 20 11:04:34 2011 +0800
@@ -93,7 +93,7 @@ the same terms as Perl itself.  For a co
 [%- ELSE -%]
     [%- chal = dw_scheme.challenge_generate(300) -%]
     [%- -%]<form action='[% site.root %]/login?ret=1' method='post'>
-    [%- -%]<input type="hidden" name="returnto" value="[% get.returnto %]" />
+    [%- -%]<input type="hidden" name="returnto" value="[% get.returnto | html %]" />
     [%- -%]<input type='hidden' name='chal' class='lj_login_chal' value='[% chal %]' />
     <input type='hidden' name='response' class='lj_login_response' value='' />
     <table summary='' id='login-table'>
--------------------------------------------------------------------------------