Bas Couwenberg · Bas Couwenberg · Bas Couwenberg · Bas Couwenberg · 2aec124a · 2aec124a
--- a/CHANGES.txt
+++ b/CHANGES.txt
-1.11.0 2017-11-xx
+1.11.1 2019-08-06
+~~~~~~~~~~~~~~~~~
+
+Fixes:
+
+- Fix Cross Site Scripting (XSS) issue in demo service. Fix for #322 did not
+  properly escaped input used in JavaScript examples.
+
+  A targeted attack could be used for information disclosure. For
+  example: Session cookies of a third party application running on
+  the same domain.
+
+1.11.0 2017-11-20
 ~~~~~~~~~~~~~~~~~

 Improvements:

--- a/debian/changelog
+++ b/debian/changelog
+mapproxy (1.11.1-1) unstable; urgency=high
+
+  * New upstream release.
+    Fixes XSS issue in demo service, see:
+    https://github.com/mapproxy/mapproxy/issues/322
+
+ -- Bas Couwenberg <sebastic@debian.org>  Tue, 06 Aug 2019 13:00:23 +0200
+
 mapproxy (1.11.0-4) unstable; urgency=medium

  * Bump Standards-Version to 4.4.0, no changes.

--- a/doc/conf.py
+++ b/doc/conf.py
@@ -51,7 +51,7 @@ copyright = u'Oliver Tonnhofer, Omniscale'
 # The short X.Y version.
 version = '1.11'
 # The full version, including alpha/beta/rc tags.
-release = '1.11.0'
+release = '1.11.1'

 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

--- a/mapproxy/service/demo.py
+++ b/mapproxy/service/demo.py
@@ -22,7 +22,6 @@ import os
 import pkg_resources
 import mimetypes
 from collections import defaultdict
-from xml.sax.saxutils import escape

 from mapproxy.config.config import base_config
 from mapproxy.compat import PY2
@@ -258,3 +257,15 @@ class DemoServer(Server):
                return True
            return False
        return True
+
+
+def escape(data):
+    """
+    Escape user-provided input data for safe inclusion in HTML _and_ JS to prevent XSS.
+    """
+    data = data.replace('&', '&amp;')
+    data = data.replace('>', '&gt;')
+    data = data.replace('<', '&lt;')
+    data = data.replace("'", '')
+    data = data.replace('"', '')
+    return data
--- a/setup.py
+++ b/setup.py
@@ -54,7 +54,7 @@ def long_description(changelog_releases=10):

 setup(
    name='MapProxy',
-    version="1.11.0",
+    version="1.11.1",
    description='An accelerating proxy for tile and web map services',
    long_description=long_description(7),
    author='Oliver Tonnhofer',