Mercurial > kallithea

changeset 8500:48b9fdef5e7f stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
repo_groups: extra escape of names when used in select drop-downs The lack of escaping could be a problem *if* it was possible to create repo groups with dangerous names. This was seen for example when specifying parent group of repos and repo groups. We want to keep groups_choices as HTML literals so paths can use » as separator.
author Mads Kiilerich <mads@kiilerich.com>
date Wed, 11 Nov 2020 17:03:40 +0100
parents df930758dcf7
children 2a2a50e10026
files kallithea/model/db.py
diffstat 1 files changed, 2 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/model/db.py	Wed Nov 11 16:45:42 2020 +0100
+++ b/kallithea/model/db.py	Wed Nov 11 17:03:40 2020 +0100
@@ -1407,9 +1407,10 @@
     def _generate_choice(cls, repo_group):
         """Return tuple with group_id and name as html literal"""
         from webhelpers2.html import literal
+        import kallithea.lib.helpers as h
         if repo_group is None:
             return (-1, '-- %s --' % _('top level'))
-        return repo_group.group_id, literal(cls.SEP.join(repo_group.full_path_splitted))
+        return repo_group.group_id, literal(cls.SEP.join(h.html_escape(x) for x in repo_group.full_path_splitted))
 
     @classmethod
     def groups_choices(cls, groups):