Mercurial > kallithea

changeset 8498:cd8fa11c5c89 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
repogroups: fix HTML markup of descriptions Repogroup descriptions were not urlified like repo descriptions are. That caused incorrect rendering with posibility of XSS. The problem was introduced in 0.4.0 with 6db3122e4d75. Thanks to stypr of Flatt Security for reporting this vulnerability.
author Mads Kiilerich <mads@kiilerich.com>
date Tue, 10 Nov 2020 11:30:16 +0100
parents c387989f868f
children df930758dcf7
files kallithea/model/repo.py
diffstat 1 files changed, 1 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/model/repo.py	Wed Oct 28 14:58:18 2020 +0100
+++ b/kallithea/model/repo.py	Tue Nov 10 11:30:16 2020 +0100
@@ -171,7 +171,7 @@
                 raw_name='\0' + gr.name, # sort before repositories
                 just_name=gr.name,
                 name=_render('group_name_html', group_name=gr.group_name, name=gr.name),
-                desc=gr.group_description))
+                desc=desc(gr.group_description)))
 
         for repo in repos_list:
             if not HasRepoPermissionLevel('read')(repo.repo_name, 'get_repos_as_dict check'):