Commit 971cde09 authored by Valentin Samir's avatar Valentin Samir

Fix XSS js injection

parent f1a47e77
......@@ -25,6 +25,7 @@ Fixed
if the user dn was not found. This was causing the exception
``'NoneType' object has no attribute 'getitem'`` describe in #21
* Increase the max size of usernames (30 chars to 250)
* Fix XSS js injection
......
......@@ -58,7 +58,7 @@
class="alert alert-danger"
{% endif %}
{% endspaceless %}>
<p>{{message|safe}}</p>
<p>{{message}}</p>
</div>
{% endfor %}
{% if auto_submit %}</noscript>{% endif %}
......
......@@ -2,6 +2,6 @@
{% load staticfiles %}
{% load i18n %}
{% block content %}
<div class="alert alert-success" role="alert">{{logout_msg|safe}}</div>
<div class="alert alert-success" role="alert">{{logout_msg}}</div>
{% endblock %}
......@@ -23,6 +23,7 @@ from django.views.decorators.csrf import csrf_exempt
from django.middleware.csrf import CsrfViewMiddleware
from django.views.generic import View
from django.utils.encoding import python_2_unicode_compatible
from django.utils.safestring import mark_safe
import re
import logging
......@@ -181,24 +182,24 @@ class LogoutView(View, LogoutMixin):
else:
# build logout message depending of the number of sessions the user logs out
if session_nb == 1:
logout_msg = _(
logout_msg = mark_safe(_(
"<h3>Logout successful</h3>"
"You have successfully logged out from the Central Authentication Service. "
"For security reasons, close your web browser."
)
))
elif session_nb > 1:
logout_msg = _(
logout_msg = mark_safe(_(
"<h3>Logout successful</h3>"
"You have successfully logged out from %s sessions of the Central "
"You have successfully logged out from %d sessions of the Central "
"Authentication Service. "
"For security reasons, close your web browser."
) % session_nb
) % session_nb)
else:
logout_msg = _(
logout_msg = mark_safe(_(
"<h3>Logout successful</h3>"
"You were already logged out from the Central Authentication Service. "
"For security reasons, close your web browser."
)
))
# depending of settings, redirect to the login page with a logout message or display
# the logout page. The default is to display tge logout page.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment