Mercurial > kallithea
view docs/api/models.rst @ 7547:a8d873e9cab0
compare: prevent XSS due to unescaped branch/tag/bookmark names
In the revision selection dropdown of the 'Compare' functionality, the
branch/tag/bookmark names were not correctly escaped.
This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.
Fix the problem by correctly escaping the branch/tag/bookmarks.
author | Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> |
---|---|
date | Tue, 26 Feb 2019 21:27:42 +0100 |
parents | cd6c577ade97 |
children | b6b6955981a5 |
line wrap: on
line source
.. _models: ======================== The :mod:`models` module ======================== .. automodule:: kallithea.model :members: .. automodule:: kallithea.model.comment :members: .. automodule:: kallithea.model.permission :members: .. automodule:: kallithea.model.repo_permission :members: .. automodule:: kallithea.model.repo :members: .. automodule:: kallithea.model.repo_group :members: .. automodule:: kallithea.model.scm :members: .. automodule:: kallithea.model.user :members: .. automodule:: kallithea.model.user_group :members: