From 51c3b633fe7ad647bc3013e899c1e3a910362dd1 Mon Sep 17 00:00:00 2001
From: mdipierro <massimo.dipierro@gmail.com>
Date: Wed, 4 May 2016 09:21:20 -0500
Subject: [PATCH] remove XSS attack in installing plugin, thanks Nerendra Bhati

---
 applications/admin/controllers/default.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/applications/admin/controllers/default.py b/applications/admin/controllers/default.py
index 300370bb..a2840a51 100644
--- a/applications/admin/controllers/default.py
+++ b/applications/admin/controllers/default.py
@@ -1954,6 +1954,9 @@ def install_plugin():
     plugin = request.vars.plugin
     if not (source and app):
         raise HTTP(500, T("Invalid request"))
+    # make sure no XSS attacks in source
+    if not source.lower().split('://')[0] in ('http','https'):
+        raise HTTP(500, T("Invalid request"))
     form = SQLFORM.factory()
     result = None
     if form.process().accepted: