# HG changeset patch # User Nick High # Date 1428864385 14400 # Node ID a8f2986afc18c9221bf99f88b06e60ab83c86c55 # Parent 6eb57b4f311b4ab30eb3acfa83f6729d200dcebe security: Fix HTML and JavaScript injection. This fixes CVE-2015-1864 diff -r 6eb57b4f311b -r a8f2986afc18 kallithea/controllers/admin/repo_groups.py --- a/kallithea/controllers/admin/repo_groups.py Fri Apr 10 19:09:40 2015 +0200 +++ b/kallithea/controllers/admin/repo_groups.py Sun Apr 12 14:46:25 2015 -0400 @@ -144,7 +144,7 @@ repo_groups_data.append({ "raw_name": repo_gr.group_name, "group_name": repo_group_name(repo_gr.group_name, children_groups), - "desc": repo_gr.group_description, + "desc": h.escape(repo_gr.group_description), "repos": repo_count, "owner": h.person(repo_gr.user), "action": repo_group_actions(repo_gr.group_id, repo_gr.group_name, diff -r 6eb57b4f311b -r a8f2986afc18 kallithea/controllers/admin/user_groups.py --- a/kallithea/controllers/admin/user_groups.py Fri Apr 10 19:09:40 2015 +0200 +++ b/kallithea/controllers/admin/user_groups.py Sun Apr 12 14:46:25 2015 -0400 @@ -113,7 +113,7 @@ "raw_name": user_gr.users_group_name, "group_name": user_group_name(user_gr.users_group_id, user_gr.users_group_name), - "desc": user_gr.user_group_description, + "desc": h.escape(user_gr.user_group_description), "members": len(user_gr.members), "active": h.boolicon(user_gr.users_group_active), "owner": h.person(user_gr.user.username), diff -r 6eb57b4f311b -r a8f2986afc18 kallithea/controllers/admin/users.py --- a/kallithea/controllers/admin/users.py Fri Apr 10 19:09:40 2015 +0200 +++ b/kallithea/controllers/admin/users.py Sun Apr 12 14:46:25 2015 -0400 @@ -96,8 +96,8 @@ "gravatar": grav_tmpl % h.gravatar(user.email, size=20), "raw_name": user.username, "username": username(user.user_id, user.username), - "firstname": user.name, - "lastname": user.lastname, + "firstname": h.escape(user.name), + "lastname": h.escape(user.lastname), "last_login": h.fmt_date(user.last_login), "last_login_raw": datetime_to_time(user.last_login), "active": h.boolicon(user.active), diff -r 6eb57b4f311b -r a8f2986afc18 kallithea/model/repo.py --- a/kallithea/model/repo.py Fri Apr 10 19:09:40 2015 +0200 +++ b/kallithea/model/repo.py Sun Apr 12 14:46:25 2015 -0400 @@ -138,8 +138,8 @@ return json.dumps([ { 'id': u.user_id, - 'fname': u.name, - 'lname': u.lastname, + 'fname': h.escape(u.name), + 'lname': h.escape(u.lastname), 'nname': u.username, 'gravatar_lnk': h.gravatar_url(u.email, size=28), 'gravatar_size': 14, @@ -210,9 +210,9 @@ def desc(desc): if c.visual.stylify_metatags: - return h.urlify_text(h.desc_stylize(h.truncate(desc, 60))) + return h.urlify_text(h.desc_stylize(h.escape(h.truncate(desc, 60)))) else: - return h.urlify_text(h.truncate(desc, 60)) + return h.urlify_text(h.escape(h.truncate(desc, 60))) def state(repo_state): return _render("repo_state", repo_state) diff -r 6eb57b4f311b -r a8f2986afc18 kallithea/templates/summary/summary.html --- a/kallithea/templates/summary/summary.html Fri Apr 10 19:09:40 2015 +0200 +++ b/kallithea/templates/summary/summary.html Sun Apr 12 14:46:25 2015 -0400 @@ -85,9 +85,9 @@ %if c.visual.stylify_metatags: -
${h.urlify_text(h.desc_stylize(c.db_repo.description))}
+
${h.urlify_text(h.desc_stylize(h.escape(c.db_repo.description)))}
%else: -
${h.urlify_text(c.db_repo.description)}
+
${h.urlify_text(h.escape(c.db_repo.description))}
%endif