# HG changeset patch
# User Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
# Date 1551212862 -3600
# Node ID 04e44ea05c5fee8744879daf5b2c2e29051f8960
# Parent  c9bd000a45675b1029fa19fd25b3db2c37169560
compare: prevent XSS due to unescaped branch/tag/bookmark names

In the revision selection dropdown of the 'Compare' functionality, the
branch/tag/bookmark names were not correctly escaped.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks.

diff -r c9bd000a4567 -r 04e44ea05c5f kallithea/templates/compare/compare_diff.html
--- a/kallithea/templates/compare/compare_diff.html	Mon Feb 11 21:36:55 2019 +0100
+++ b/kallithea/templates/compare/compare_diff.html	Tue Feb 26 21:27:42 2019 +0100
@@ -101,7 +101,7 @@
       $(css_selector).select2({
         placeholder: placeholder,
         formatSelection: function(obj){
-            return '{0}@{1}'.format(repo_name, obj.text);
+            return '{0}@{1}'.format(repo_name, obj.text).html_escape();
         },
         dropdownAutoWidth: true,
         query: function(query){