Mercurial > kallithea
view .hgignore @ 7553:c9bd000a4567 stable
templates/summary: escape branch/tag/bookmark names in 'Download as zip' links to prevent XSS
On a repository summary page, in the 'Download' section where you can
download an archive of the repository at a given revision, the branch/tag
names were not correctly escaped.
This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.
Fix the problem by correctly escaping the branch/tag/bookmarks.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Mon, 11 Feb 2019 21:36:55 +0100 |
parents | bfa66e8887d7 |
children | 9358211ee144 |
line wrap: on
line source
syntax: glob *.pyc *.swp *.sqlite *.tox *.egg-info *.egg *.mo .eggs/ tarballcache/ syntax: regexp ^rcextensions ^build ^dist/ ^docs/build/ ^docs/_build/ ^data$ ^kallithea/tests/data$ ^sql_dumps/ ^\.settings$ ^\.project$ ^\.pydevproject$ ^\.coverage$ ^kallithea\.db$ ^test\.db$ ^Kallithea\.egg-info$ ^my\.ini$ ^fabfile.py ^\.idea$ ^\.cache$