Mercurial > kallithea

changeset 4766:61d7fffbdf52

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
templates: fix HTML injection via file names
author Andrew Shadura <andrew@shadura.me>
date Wed, 14 Jan 2015 17:45:22 +0100
parents 46c6eb7f1d66
children 28289731724b
files kallithea/templates/files/files_browser.html
diffstat 1 files changed, 1 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/templates/files/files_browser.html	Wed Jan 07 16:54:28 2015 +0100
+++ b/kallithea/templates/files/files_browser.html	Wed Jan 14 17:45:22 2015 +0100
@@ -22,7 +22,7 @@
         elif node.is_submodule():
             c = "icon-file-submodule"
     %>
-    <%return h.literal('<i class="%s"></i><span>%s</span>' % (c, node.name))%>
+    <%return h.literal('<i class="%s"></i><span>%s</span>' % (c, h.escape(node.name)))%>
 </%def>
 <div id="body" class="browserblock">
     <div class="browser-header">