Mercurial > kallithea
changeset 7541:429c2c8a4354
pullrequests: prevent XSS in @mention completion when first and last names cannot be trusted
atwho used in MentionsAutoComplete is passing raw user controlled data which
might contain HTML markup.
That could cause XSS issues when completion hit a rogue user name.
To avoid that, make sure displayTpl always escape user information, as
recommended in https://github.com/ichord/At.js/issues/334 .
| author | Mads Kiilerich <mads@kiilerich.com> |
|---|---|
| date | Wed, 27 Feb 2019 02:23:26 +0100 |
| parents | 9beef1d91c4c |
| children | 42a150500c25 |
| files | kallithea/public/js/base.js |
| diffstat | 1 files changed, 7 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/public/js/base.js Wed Feb 27 02:23:26 2019 +0100 +++ b/kallithea/public/js/base.js Wed Feb 27 02:23:26 2019 +0100 @@ -1198,7 +1198,13 @@ return items; } }, - displayTpl: "<li>" + autocompleteGravatar('${fname} ${lname} (${nname})', '${gravatar_lnk}', 16) + "</li>", + displayTpl: function(item) { + return "<li>" + + autocompleteGravatar( + "{0} {1} ({2})".format(item.fname, item.lname, item.nname).html_escape(), + '${gravatar_lnk}', 16) + + "</li>"; + }, insertTpl: "${atwho-at}${nname}" }); };