From 7bdf2106e3ea38ecd8eae4d57c9c8eccca005965 Mon Sep 17 00:00:00 2001 From: Andrew Plummer Date: Mon, 15 Jun 2015 17:50:27 +0100 Subject: [PATCH] XSS fix for 'firstof' in folder template --- .../cmsplugin_filer_folder/plugins/folder/default.html | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cmsplugin_filer_folder/templates/cmsplugin_filer_folder/plugins/folder/default.html b/cmsplugin_filer_folder/templates/cmsplugin_filer_folder/plugins/folder/default.html index 119711c9..b3fc1071 100644 --- a/cmsplugin_filer_folder/templates/cmsplugin_filer_folder/plugins/folder/default.html +++ b/cmsplugin_filer_folder/templates/cmsplugin_filer_folder/plugins/folder/default.html @@ -14,7 +14,12 @@ {% endaddtoblock %} -{% firstof object.title object.folder.name %} +{# Does not use `firstof` as pre Django1.8, `firstof` does not escape its output. #} +{% if object.title %} + {{ object.title }} +{% else %} + {{ object.folder.name }} +{% endif %} {% if object.view_option == "list" %}