Mercurial > kallithea
view .hgsigs @ 7539:22da5f258118
pullrequests: prevent XSS in 'Potential Reviewers' list when first and last names cannot be trusted
The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.
That could cause XSS issues, already when loading a PR page.
To avoid that, make sure autocompleteHighlightMatch always escape user
information. That makes the user safe as long as a rogue user isn't selected ...
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Wed, 27 Feb 2019 02:23:26 +0100 |
parents | 9b9258f5e2b2 |
children |
line wrap: on
line source
9b3e9e242f5c97cc0c7657e5ac93dce7de61ca16 0 iQEcBAABAgAGBQJWDuAdAAoJEJ1bI/kYT6UUAlYH/ReCa7Im5tvy+ot5oAc7xey/O2rCVHp2h6i82tTWK/0i9EaS4DP+eTbAjV4WJA4qWF5DPenEJ3X9JhrTLNvGkR0f7lUqiFVMTJ472YlSsvIWg38gVFruzwk1cODRfq72o8ERYcRSfzrL4cDpIqjEd/vVVCV/gKVvPmzr4/FED/ZmS0X6T9gxWJo/eWSuLNAxHHtE/pCWDO3XEe+iOm+hHjkyz4Hn2r9/+ucrirnzycH6DnYO/kWvQzBnzgMjJm+1rLZ5cfU89V8zfhv6z0pd8CHZfpKGc2Z8EwVJq9LR+M4/76uDlYXx7IfZAxhRNqN6MC+yvPmDo3382dNr7Wkopi0= 9bf8eb837e785b6856ccfac264e977ce3ebe1535 0 iQEcBAABAgAGBQJW5XaVAAoJEJ1bI/kYT6UUbeMH/AsGg21jTc0tTT+228T+WfrfkbxrPkkULQF/Eo3ChlrhnFZ5B1y7ellSx6XGas7yKpqHHtNmrVwY3KBfUaYEljML/osEt1kvM6JGcd0vDbAW1uA2sdJR2AXmf32MjguFVhmYi9Lj79WYtgg241YGPe4dH0ompNFVqazNxCfmDBZijzSkF57FURMpV2e6+MyNq0txSo9Q82eALy0GAIX7NKQcxtynxG9ETzVzuVpeNE9MEZh0ObbUtPGezd55GXXcVqI8ZEurZwf6KHnd5M+5wxIZf84gM/k4QgQbRiIxNj4QfVmTZlVNSkC7PwSbF8twZPjlAprwldYvMi/c7ZVocEY= a84d40e9481fcea4dafadee86b03f0dd401527d6 0 iQEcBAABAgAGBQJXJ4XhAAoJEJ1bI/kYT6UUKaIH/i33ZiT95pWF3pHEftgrZWvMwvz9tAuoHgf7ntkIUPnxfNteXKw8FiKcSQ9f8I41VyML+rqsnBBIfltJknfoqTV+9jNkHwc62OfcqQ3RbBDXQbcSi1CHn2ihJiZadqiKEyUw7JJqOMyWp+AWQyywcF/ea+pwXPJG5A2fd4vnBWHSxhD+6Ig1KipZNORzZY7fAec185M7NOZCZC+5qOLIkoQZaGq+D2Aipx5eZkpgFd4W+0LQY1ywMV5CiOY1OG0mry7l6NfIZvPY9Kiwg37G6ZUi8fhwVvn6Y8UACcAnWunBfKt9PWK0rAgNyJ9HDk/+3S5g6HcNKUb6YRTzEcLshIc= 64ea7ea0923618a0c117acebb816a6f0d162bfdb 0 iQEvBAABCAAZBQJZeN4NEhxhbmRyZXdAc2hhZHVyYS5tZQAKCRCdWyP5GE+lFGi/CACBEWfdtZNumWz5LJ6yHbiceEDXZ+9aD44EU3J3VfbRwLeZhQ7J0WwBCFg0qPxh08O+TMaeRP4ur20hczyR6u8fwmIc9KDmNZHujlG0Q6GkNSMizyfJgf/MYJD+03q2Z0S4e9QdPfc746TBZKaqqauV0uVjtd7+m3L4R+Qh5shxBNxshqGGWtMtXpO9iojCJEqxde9RVm+w9NidKdCLGoDlVpJ42iFSrUMeWBnVUMRhOiz6XKUrIPEjUfWMFe0gOR55wZcF3tJo8XBqqqhecI69cmLmkv1xG92V+jC5gTC3STYTASJqXHKEp2cRvUGbHrFF9ODBvcYjj+VsY5r2aU1l