By having double quotes in rose-suite.info you could inject arbitrary HTML into rosie disco.
In this example, the description contained
=the PDF document is displayed in the task "add_link_to_plots".
=--------------------------------------------------------------------
=There follows a description of template variables in
You can see how everything after 'in the task' is cut (and actually every word following this has become an attribute on the HTML element and caused the status bit to bleed into the element content)
I've tested out this fix by just running lib/html/template/rosie-disco/prefix-index.html through Jinja2 before and after
By having double quotes in rose-suite.info you could inject arbitrary HTML into rosie disco.
In this example, the description contained
You can see how everything after 'in the task' is cut (and actually every word following this has become an attribute on the HTML element and caused the status bit to bleed into the element content)
I've tested out this fix by just running
lib/html/template/rosie-disco/prefix-index.htmlthrough Jinja2 before and after