Fix XSS js injection

This commit is contained in:
Valentin Samir 2017-11-17 15:23:25 +01:00
parent f1a47e7766
commit 971cde093c
4 changed files with 11 additions and 9 deletions

View File

@ -25,6 +25,7 @@ Fixed
if the user dn was not found. This was causing the exception
``'NoneType' object has no attribute 'getitem'`` describe in #21
* Increase the max size of usernames (30 chars to 250)
* Fix XSS js injection

View File

@ -58,7 +58,7 @@
class="alert alert-danger"
{% endif %}
{% endspaceless %}>
<p>{{message|safe}}</p>
<p>{{message}}</p>
</div>
{% endfor %}
{% if auto_submit %}</noscript>{% endif %}

View File

@ -2,6 +2,6 @@
{% load staticfiles %}
{% load i18n %}
{% block content %}
<div class="alert alert-success" role="alert">{{logout_msg|safe}}</div>
<div class="alert alert-success" role="alert">{{logout_msg}}</div>
{% endblock %}

View File

@ -23,6 +23,7 @@ from django.views.decorators.csrf import csrf_exempt
from django.middleware.csrf import CsrfViewMiddleware
from django.views.generic import View
from django.utils.encoding import python_2_unicode_compatible
from django.utils.safestring import mark_safe
import re
import logging
@ -181,24 +182,24 @@ class LogoutView(View, LogoutMixin):
else:
# build logout message depending of the number of sessions the user logs out
if session_nb == 1:
logout_msg = _(
logout_msg = mark_safe(_(
"<h3>Logout successful</h3>"
"You have successfully logged out from the Central Authentication Service. "
"For security reasons, close your web browser."
)
))
elif session_nb > 1:
logout_msg = _(
logout_msg = mark_safe(_(
"<h3>Logout successful</h3>"
"You have successfully logged out from %s sessions of the Central "
"You have successfully logged out from %d sessions of the Central "
"Authentication Service. "
"For security reasons, close your web browser."
) % session_nb
) % session_nb)
else:
logout_msg = _(
logout_msg = mark_safe(_(
"<h3>Logout successful</h3>"
"You were already logged out from the Central Authentication Service. "
"For security reasons, close your web browser."
)
))
# depending of settings, redirect to the login page with a logout message or display
# the logout page. The default is to display tge logout page.