Mercurial > kallithea
changeset 4766:61d7fffbdf52
templates: fix HTML injection via file names
author | Andrew Shadura <andrew@shadura.me> |
---|---|
date | Wed, 14 Jan 2015 17:45:22 +0100 |
parents | 46c6eb7f1d66 |
children | 28289731724b |
files | kallithea/templates/files/files_browser.html |
diffstat | 1 files changed, 1 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/templates/files/files_browser.html Wed Jan 07 16:54:28 2015 +0100 +++ b/kallithea/templates/files/files_browser.html Wed Jan 14 17:45:22 2015 +0100 @@ -22,7 +22,7 @@ elif node.is_submodule(): c = "icon-file-submodule" %> - <%return h.literal('<i class="%s"></i><span>%s</span>' % (c, node.name))%> + <%return h.literal('<i class="%s"></i><span>%s</span>' % (c, h.escape(node.name)))%> </%def> <div id="body" class="browserblock"> <div class="browser-header">