Index: test/test_cgi.py =================================================================== --- test/test_cgi.py (revision 88880) +++ test/test_cgi.py (working copy) @@ -48,17 +48,23 @@ self.assertEqual(cm('
x
'), '
x
') self.assertEqual(cm('x'), 'x') self.assertEqual(cm('x'), 'x') + self.assertEqual(cm('x'), 'x') + self.assertEqual(cm('x'), 'x') self.assertEqual(cm('x'), 'x') self.assertEqual(cm('
x
'), '
x
') self.assertEqual(cm('x'), 'x') self.assertEqual(cm('x'), 'x') + self.assertEqual(cm('X'), 'X') + self.assertEqual(cm('X'), 'X') self.assertEqual(cm('x'), 'x') def testCleanMessageBAD(self): self.assertEqual(cm(''), '<script>x</script>') + self.assertEqual(cm('<>'), + '<<script >>alert(42);5<</script >>') self.assertEqual(cm(''), '<iframe>x</iframe>') Index: roundup/cgi/client.py =================================================================== --- roundup/cgi/client.py (revision 88880) +++ roundup/cgi/client.py (working copy) @@ -38,18 +38,15 @@ description="User may manipulate user Roles through the web") security.addPermissionToRole('Admin', p) -# used to clean messages passed through CGI variables - HTML-escape any tag -# that isn't , , and
(including XHTML variants) so -# that people can't pass through nasties like