Forum OpenACS Development: Re: XSS vulnerability in XoWiki and a lot of other OpenACS pages

Try making a procedure that does the work

ad_proc encode_html {string} {
Escape HTML code
} {
return [string map [list & "&amp;" < "&lt;" > "&gt;" \" "&quot;" ' "&#39;"] $string]
}

Then modify the patch to call this encode_html procedure instead of the xowiki includelet one and see if that helps.

Hi Dave,

Thank your for your answer, but I guess it won't work. It has to be called inside a method for xowiki::Weblog class, in an XoTcl perspective.

By the way, more info. I've just realized XoWiki upgrade failed because the name of some switches changed in form pages:


lead to error: unknown argument '-entries_of' for method 'instantiate_forms': valid arguments {-default_lang {}} {-parent_id {}} -forms:required -package_id:required
Details: unknown argument '-entries_of' for method 'instantiate_forms': valid arguments {-default_lang {}} {-parent_id {}} -forms:required -package_id:required
while executing
"::xotcl::interpretNonpositionalArgs $args"

The old switch to form entries was entries_of and it was changed to forms. I guess I would have to manually change all the news page I have in my system before I can upgrade. Is it right?

Dear Eduardo,

guess the error message comes from the prototype page "news". Actually, the upgrade scripts are supposed to add new revision to the instantiated prototype pages. In case, something went wrong, you can reload the prototype page via ds/shell (assuming the instance is called /xowiki, and the problem comes from the "news" prototype page

::xowiki::Package initialize -url /xowiki
$package_id import-prototype-page news

Hope, this helps