Mercurial > kallithea
changeset 8500:48b9fdef5e7f stable
repo_groups: extra escape of names when used in select drop-downs
The lack of escaping could be a problem *if* it was possible to create repo
groups with dangerous names.
This was seen for example when specifying parent group of repos and repo
groups.
We want to keep groups_choices as HTML literals so paths can use » as
separator.
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Wed, 11 Nov 2020 17:03:40 +0100 |
parents | df930758dcf7 |
children | 2a2a50e10026 |
files | kallithea/model/db.py |
diffstat | 1 files changed, 2 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/model/db.py Wed Nov 11 16:45:42 2020 +0100 +++ b/kallithea/model/db.py Wed Nov 11 17:03:40 2020 +0100 @@ -1407,9 +1407,10 @@ def _generate_choice(cls, repo_group): """Return tuple with group_id and name as html literal""" from webhelpers2.html import literal + import kallithea.lib.helpers as h if repo_group is None: return (-1, '-- %s --' % _('top level')) - return repo_group.group_id, literal(cls.SEP.join(repo_group.full_path_splitted)) + return repo_group.group_id, literal(cls.SEP.join(h.html_escape(x) for x in repo_group.full_path_splitted)) @classmethod def groups_choices(cls, groups):