ynerant
/
django-cas-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix XSS js injection

This commit is contained in:
Valentin Samir 2017-11-17 15:23:25 +01:00
parent f1a47e7766
commit 971cde093c
4 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.rst
View File

@ -25,6 +25,7 @@ Fixed
if the user dn was not found. This was causing the exception if the user dn was not found. This was causing the exception
``'NoneType' object has no attribute 'getitem'`` describe in #21 ``'NoneType' object has no attribute 'getitem'`` describe in #21
* Increase the max size of usernames (30 chars to 250) * Increase the max size of usernames (30 chars to 250)
* Fix XSS js injection

2
cas_server/templates/cas_server/base.html
View File

@ -58,7 +58,7 @@
class="alert alert-danger" class="alert alert-danger"
{% endif %} {% endif %}
{% endspaceless %}> {% endspaceless %}>
<p>{{message|safe}}</p> <p>{{message}}</p>
</div> </div>
{% endfor %} {% endfor %}
{% if auto_submit %}</noscript>{% endif %} {% if auto_submit %}</noscript>{% endif %}

2
cas_server/templates/cas_server/logout.html
View File

@ -2,6 +2,6 @@
{% load staticfiles %} {% load staticfiles %}
{% load i18n %} {% load i18n %}
{% block content %} {% block content %}
<div class="alert alert-success" role="alert">{{logout_msg|safe}}</div> <div class="alert alert-success" role="alert">{{logout_msg}}</div>
{% endblock %} {% endblock %}

15
cas_server/views.py
View File

@ -23,6 +23,7 @@ from django.views.decorators.csrf import csrf_exempt
from django.middleware.csrf import CsrfViewMiddleware from django.middleware.csrf import CsrfViewMiddleware
from django.views.generic import View from django.views.generic import View
from django.utils.encoding import python_2_unicode_compatible from django.utils.encoding import python_2_unicode_compatible
from django.utils.safestring import mark_safe
import re import re
import logging import logging
@ -181,24 +182,24 @@ class LogoutView(View, LogoutMixin):
else: else:
# build logout message depending of the number of sessions the user logs out # build logout message depending of the number of sessions the user logs out
if session_nb == 1: if session_nb == 1:
logout_msg = _( logout_msg = mark_safe(_(
"<h3>Logout successful</h3>" "<h3>Logout successful</h3>"
"You have successfully logged out from the Central Authentication Service. " "You have successfully logged out from the Central Authentication Service. "
"For security reasons, close your web browser." "For security reasons, close your web browser."
) ))
elif session_nb > 1: elif session_nb > 1:
logout_msg = _( logout_msg = mark_safe(_(
"<h3>Logout successful</h3>" "<h3>Logout successful</h3>"
"You have successfully logged out from %s sessions of the Central " "You have successfully logged out from %d sessions of the Central "
"Authentication Service. " "Authentication Service. "
"For security reasons, close your web browser." "For security reasons, close your web browser."
) % session_nb ) % session_nb)
else: else:
logout_msg = _( logout_msg = mark_safe(_(
"<h3>Logout successful</h3>" "<h3>Logout successful</h3>"
"You were already logged out from the Central Authentication Service. " "You were already logged out from the Central Authentication Service. "
"For security reasons, close your web browser." "For security reasons, close your web browser."
) ))
# depending of settings, redirect to the login page with a logout message or display # depending of settings, redirect to the login page with a logout message or display
# the logout page. The default is to display tge logout page. # the logout page. The default is to display tge logout page.