Changes between Version 15 and Version 16 of UsingFreeComment


Ignore:
Timestamp:
04/24/07 20:36:46 (8 years ago)
Author:
Simon G. <dev@…>
Comment:

person_name is user-input, so it needs to be html escaped to protect against XSS attacks

Legend:

Unmodified
Added
Removed
Modified
  • UsingFreeComment

    v15 v16  
    130130        <div class="comment_{% cycle odd,even %}" id="c{{ comment.id }}">
    131131                <span class="comnum"><a id="c{{ comment.id }}" href="#c{{ comment.id }}">#{{ forloop.counter }}</a></span>
    132                 <p><b>{{ comment.person_name }}</b> commented, on {{ comment.submit_date|date:"F j, Y" }} at {{ comment.submit_date|date:"P" }}:</p>
     132                <p><b>{{ comment.person_name|escape }}</b> commented, on {{ comment.submit_date|date:"F j, Y" }} at {{ comment.submit_date|date:"P" }}:</p>
    133133                {{ comment.comment|escape|urlizetrunc:40|linebreaks }}
    134134        </div>
     
    186186            <div class="comment">
    187187            {{ comment.comment|escape|urlizetrunc:"40"|linebreaks }}
    188             <p class="date small">Posted by <strong>{{ comment.person_name }}</strong></p>
     188            <p class="date small">Posted by <strong>{{ comment.person_name|escape }}</strong></p>
    189189            </div>
    190190
     
    198198        {% endif %}
    199199
    200         <p><label for="id_person_name">Your name:</label> {{ comment_form.person_name }}</p>
     200        <p><label for="id_person_name">Your name:</label> {{ comment_form.person_name|escape }}</p>
    201201
    202202        {% if comment_form.comment.errors %}
     
    312312            <h3>
    313313                        <a href="{{ comment.get_absolute_url }}">
    314                                 {{ comment.person_name }}
     314                                {{ comment.person_name|escape }}
    315315                                <span class="small quiet">
    316316                                        {{ comment.submit_date|date:"F j, Y" }} at {{ comment.submit_date|date:"P" }}
Back to Top