From 83b221799e409b407c60fd246fd883d068775016 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Fri, 25 Oct 2013 17:55:39 -0400
Subject: [PATCH 1/2] Fix XSS in site creation interface. Thanks, Gopal Bisht.

---
 debian/changelog        |  1 +
 templates/makesite.tmpl | 16 ++++++++--------
 templates/setupdns.tmpl | 10 +++++-----
 3 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index d58ec61..550ecfb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
 ikiwiki-hosting (0.20130927) UNRELEASED; urgency=low
 
   * Exclude the site from showing up as a referrer in the analog report.
+  * Fix XSS in site creation interface. Thanks, Gopal Bisht.
 
  -- Joey Hess <joeyh@debian.org>  Sun, 08 Sep 2013 18:45:29 -0400
 
diff --git a/templates/makesite.tmpl b/templates/makesite.tmpl
index 02758de..2559caa 100644
--- a/templates/makesite.tmpl
+++ b/templates/makesite.tmpl
@@ -8,10 +8,10 @@
 <input type="hidden" name="type" value="<TMPL_VAR TYPE>" />
 <input type="hidden" name="hostname" value="<TMPL_VAR HOSTNAME>" />
 <input type="hidden" name="domain" value="<TMPL_VAR DOMAIN>" />
-<input type="hidden" name="internal_hostname" value="<TMPL_VAR INTERNAL_HOSTNAME>" />
+<input type="hidden" name="internal_hostname" value="<TMPL_VAR INTERNAL_HOSTNAME ESCAPE=HTML>" />
 
 <div class="notice">
-Your site <TMPL_IF EXTERNAL_HOSTNAME><TMPL_VAR EXTERNAL_HOSTNAME><TMPL_ELSE><TMPL_VAR INTERNAL_HOSTNAME></TMPL_IF>
+Your site <TMPL_IF EXTERNAL_HOSTNAME><TMPL_VAR EXTERNAL_HOSTNAME ESCAPE=HTML><TMPL_ELSE><TMPL_VAR INTERNAL_HOSTNAME ESCAPE=HTML></TMPL_IF>
 <TMPL_IF READY>
 has been created.
 <TMPL_ELSE>
@@ -63,18 +63,18 @@ I agree to the <a href="/terms/">Terms of Service</a>.</label>
 <h1>Domain</h1>
 <p>
 <TMPL_IF DNS_NEEDED>
-To make your site be available at <TMPL_VAR EXTERNAL_HOSTNAME>,
+To make your site be available at <TMPL_VAR EXTERNAL_HOSTNAME ESCAPE=HTML>,
 you need to purchase that domain name. I can't do that for
 you, but you can buy the domain at sites like
 <a href="http://godaddy.com/">GoDaddy</a> or
 <a href="http://gandi.net/">Gandi</a>.
 When you buy the domain, configure it to point to
-<TMPL_VAR INTERNAL_HOSTNAME>.
+<TMPL_VAR INTERNAL_HOSTNAME ESCAPE=HTML>.
 </TMPL_IF>
 <TMPL_IF DNS_WRONG>
-Looks like <TMPL_VAR EXTERNAL_HOSTNAME> already exists. If you own
+Looks like <TMPL_VAR EXTERNAL_HOSTNAME ESCAPE=HTML> already exists. If you own
 that domain, you need to visit your DNS Registrar, and configure
-the domain so it points to <TMPL_VAR INTERNAL_HOSTNAME>.
+the domain so it points to <TMPL_VAR INTERNAL_HOSTNAME ESCAPE=HTML>.
 </TMPL_IF>
 </p>
 <p>
@@ -82,12 +82,12 @@ the domain so it points to <TMPL_VAR INTERNAL_HOSTNAME>.
 <TMPL_IF DNS_WRONG>
 <TMPL_IF RETRIED>
 <span class="error">&nbsp;&nbsp;Sorry, the DNS for
-<TMPL_VAR EXTERNAL_HOSTNAME> is still not right ...</span>
+<TMPL_VAR EXTERNAL_HOSTNAME ESCAPE=HTML> is still not right ...</span>
 </TMPL_IF>
 </TMPL_IF>
 </p>
 <p>
-Or, you can postpone using the <TMPL_VAR EXTERNAL_HOSTNAME> domain,
+Or, you can postpone using the <TMPL_VAR EXTERNAL_HOSTNAME ESCAPE=HTML> domain,
 and set it up later, after you've used your site for a while.
 </p>
 <p>
diff --git a/templates/setupdns.tmpl b/templates/setupdns.tmpl
index e359afa..b614bdf 100644
--- a/templates/setupdns.tmpl
+++ b/templates/setupdns.tmpl
@@ -15,20 +15,20 @@ Here you can configure the domain names used for this site.
 </p>
 <TMPL_IF DNS_NEEDED>
 <p>
-To make your site be available at <TMPL_VAR EXTERNAL_HOSTNAME>,
+To make your site be available at <TMPL_VAR EXTERNAL_HOSTNAME ESCAPE=HTML>,
 you need to purchase that domain name. I can't do that for
 you, but you can buy the domain at sites like
 <a href="http://godaddy.com/">GoDaddy</a> or
 <a href="http://gandi.net/">Gandi</a>.
 When you buy the domain, configure it to point to
-<TMPL_VAR INTERNAL_HOSTNAME>.
+<TMPL_VAR INTERNAL_HOSTNAME ESCAPE=HTML>.
 </p>
 </TMPL_IF>
 <TMPL_IF DNS_WRONG>
 <p>
-To make your site be available at <TMPL_VAR EXTERNAL_HOSTNAME>,
+To make your site be available at <TMPL_VAR EXTERNAL_HOSTNAME ESCAPE=HTML>,
 you need to visit your DNS Registrar and configure the domain
-to point to <TMPL_VAR INTERNAL_HOSTNAME>.
+to point to <TMPL_VAR INTERNAL_HOSTNAME ESCAPE=HTML>.
 </p>
 </TMPL_IF>
 </TMPL_IF>
@@ -39,7 +39,7 @@ DNS successfully configured.
 </TMPL_IF>
 
 <label for="dns_external">Main domain:</label><br />
-<input id="dns_external" name="external" size="60" value="<TMPL_VAR EXTERNAL_HOSTNAME>" /><br />
+<input id="dns_external" name="external" size="60" value="<TMPL_VAR EXTERNAL_HOSTNAME ESCAPE=HTML>" /><br />
 <label for="dns_alias">Other domains:</label><br />
 <textarea id="dns_alias" name="alias" cols="60" rows="5"><TMPL_VAR ALIAS></textarea><br />
 <input type="submit" name="submit" value="Apply" />
-- 
1.8.4.rc3