Index: test/test_cgi.py
===================================================================
--- test/test_cgi.py (revision 88880)
+++ test/test_cgi.py (working copy)
@@ -48,17 +48,19 @@
self.assertEqual(cm('
x
'), '
x
')
self.assertEqual(cm('x'), 'x')
self.assertEqual(cm('x'), 'x')
- self.assertEqual(cm('x'),
- 'x')
+ self.assertEqual(cm('x'), 'x')
+ self.assertEqual(cm('x'), 'x')
self.assertEqual(cm('
x
'), '
x
')
self.assertEqual(cm('x'), 'x')
self.assertEqual(cm('x'), 'x')
- self.assertEqual(cm('x'),
- 'x')
+ self.assertEqual(cm('X'), 'X')
+ self.assertEqual(cm('X'), 'X')
def testCleanMessageBAD(self):
self.assertEqual(cm(''),
'<script>x</script>')
+ self.assertEqual(cm('<>'),
+ '<<script >>alert(42);5<</script >>')
self.assertEqual(cm(''),
'<iframe>x</iframe>')
Index: roundup/cgi/client.py
===================================================================
--- roundup/cgi/client.py (revision 88880)
+++ roundup/cgi/client.py (working copy)
@@ -38,18 +38,14 @@
description="User may manipulate user Roles through the web")
security.addPermissionToRole('Admin', p)
-# used to clean messages passed through CGI variables - HTML-escape any tag
-# that isn't , , and
(including XHTML variants) so
-# that people can't pass through nasties like