Mercurial > kallithea
view pytest.ini @ 7540:9beef1d91c4c
pullrequests: prevent XSS when 'Potential Reviewers' are selected and first and last names cannot be trusted
The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.
That could cause XSS issues, already when adding rogue users as reviewers on a PR.
To avoid that, make sure select2 use the default escapeMarkup function. In
addReviewMember, use .html_escape when expanding the reviewer template.
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Wed, 27 Feb 2019 02:23:26 +0100 |
parents | d88077fae3d6 |
children | afa5e0bdb76f |
line wrap: on
line source
[pytest] # only look for tests in kallithea/tests python_files = kallithea/tests/**/test_*.py addopts = # --verbose # show extra test summary info as specified by chars (f)ailed, (E)error, (s)skipped, (x)failed, (X)passed, (w)warnings. -rfEsxXw # Shorter scrollbacks; less stuff to scroll through --tb=short