search: fix XSS vulnerability in search results The search feature did not correctly escape all arguments when displaying search matches and linking to the corresponding files. An attacker that can control the contents of a repository could thus cause a cross-site scripting (XSS) vulnerability. Fix the problem by removing the overall h.literal call that is only needed for the HTML entity &raquo; and splitting the link instead. We take the opportunity to improving the destination of the part before &raquo; which is the path to the repository. Instead of pointing to the search result, point to the repository itself. The part after &raquo; remains linked to the file containing the search match. Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).

[tox]
minversion = 1.8
envlist = py{26,27}-pytest

[testenv]
setenv =
    PYTHONHASHSEED = 0
deps =
    -r{toxinidir}/dev_requirements.txt
    py26-pytest: unittest2
    python-ldap
    python-pam
commands =
    pytest: py.test {posargs}