Skip to content
  • Hugh Davenport's avatar
    Escape pieform errors displayed to users · c3fb9200
    Hugh Davenport authored
    
    
    Bug #1063480
    CVE-2012-2243
    
    If a user modifies a form in such as way that an error
    is caused based on their input there is a possible XSS
    avenue.
    
    This was displayed in the user/group CSV uploads, with
    a malicious script in the header which causes a CSV parsing
    error and was then passed back to the user verbatim.
    
    This patch escapes all error messages in the pieform error
    output.
    
    Change-Id: I136546266115faa92b727317d6539518d73aea55
    Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
    c3fb9200