reflective XSS in Search

[nv1t]

There's a reflective XSS in the search.

http://www.pyvideo.org/search?models=videos.video&q=%3C%2Ftitle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

Looks like the base template should be fixed.

[willkg]

I haven't forgotten about this. I could fix it, but it didn't have any effect on pyvideo until we redid the infrastructure which is finally done.

I'm going to get to this asap.

[willkg]

So, this is goofy stuff. The title is generated in the view, not the template. Then there are template tags and a bunch of other complexity.

I did a "quick fix" of bleaching the query text before assembling the title. I think the better fix is to nix all that complexity so it's easier to reason about the output of templates. I contend that's better because it reduces the likelihood of these sorts of things. I created issue #273 to cover that.