Mercurial > kallithea

changeset 7540:9beef1d91c4c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
pullrequests: prevent XSS when 'Potential Reviewers' are selected and first and last names cannot be trusted The user information passed to autocompleteFormatter from select2 is the raw data which might contain HTML markup controlled by the user. That could cause XSS issues, already when adding rogue users as reviewers on a PR. To avoid that, make sure select2 use the default escapeMarkup function. In addReviewMember, use .html_escape when expanding the reviewer template.
author Mads Kiilerich <mads@kiilerich.com>
date Wed, 27 Feb 2019 02:23:26 +0100
parents 22da5f258118
children 429c2c8a4354
files kallithea/public/js/base.js
diffstat 1 files changed, 1 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/public/js/base.js	Wed Feb 27 02:23:26 2019 +0100
+++ b/kallithea/public/js/base.js	Wed Feb 27 02:23:26 2019 +0100
@@ -1146,7 +1146,6 @@
         },
         formatSelection: autocompleteFormatter,
         formatResult: autocompleteFormatter,
-        escapeMarkup: function(m) { return m; },
         id: function(item) { return item.nname; },
     });
 }
@@ -1172,7 +1171,6 @@
         },
         formatSelection: autocompleteFormatter,
         formatResult: autocompleteFormatter,
-        escapeMarkup: function(m) { return m; },
         id: function(item) { return item.type == 'user' ? item.nname : item.grname },
     }).on("select2-selecting", function(e) {
         // e.choice.id is automatically used as selection value - just set the type of the selection
@@ -1249,7 +1247,7 @@
         '         </a> (add not saved)\n'+
         '       </span>\n'+
         '     </li>\n'
-        ).format(gravatarelm, displayname, id);
+        ).format(gravatarelm, displayname.html_escape(), id);
     // check if we don't have this ID already in
     var ids = [];
     $('#review_members').find('li').each(function() {
@@ -1289,7 +1287,6 @@
         },
         formatSelection: autocompleteFormatter,
         formatResult: autocompleteFormatter,
-        escapeMarkup: function(m) { return m; },
     }).on("select2-selecting", function(e) {
         addReviewMember(e.choice.id, e.choice.fname, e.choice.lname, e.choice.nname,
                         e.choice.gravatar_lnk, e.choice.gravatar_size);