templates/summary: escape branch/tag/bookmark names in 'Download as zip' links to prevent XSS On a repository summary page, in the 'Download' section where you can download an archive of the repository at a given revision, the branch/tag names were not correctly escaped. This means that if an attacker is able to push a branch/tag/bookmark containing HTML/JavaScript in its name, then that code would be evaluated. This is a cross-site scripting (XSS) vulnerability. Fix the problem by correctly escaping the branch/tag/bookmarks. Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).

syntax: glob
*.pyc
*.swp
*.sqlite
*.tox
*.egg-info
*.egg
*.mo
.eggs/
tarballcache/

syntax: regexp
^rcextensions
^build
^dist/
^docs/build/
^docs/_build/
^data$
^kallithea/tests/data$
^sql_dumps/
^\.settings$
^\.project$
^\.pydevproject$
^\.coverage$
^kallithea\.db$
^test\.db$
^Kallithea\.egg-info$
^my\.ini$
^fabfile.py
^\.idea$
^\.cache$