Mercurial > kallithea
changeset 8498:cd8fa11c5c89 stable
repogroups: fix HTML markup of descriptions
Repogroup descriptions were not urlified like repo descriptions are. That
caused incorrect rendering with posibility of XSS.
The problem was introduced in 0.4.0 with 6db3122e4d75.
Thanks to stypr of Flatt Security for reporting this vulnerability.
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Tue, 10 Nov 2020 11:30:16 +0100 |
parents | c387989f868f |
children | df930758dcf7 |
files | kallithea/model/repo.py |
diffstat | 1 files changed, 1 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/model/repo.py Wed Oct 28 14:58:18 2020 +0100 +++ b/kallithea/model/repo.py Tue Nov 10 11:30:16 2020 +0100 @@ -171,7 +171,7 @@ raw_name='\0' + gr.name, # sort before repositories just_name=gr.name, name=_render('group_name_html', group_name=gr.group_name, name=gr.name), - desc=gr.group_description)) + desc=desc(gr.group_description))) for repo in repos_list: if not HasRepoPermissionLevel('read')(repo.repo_name, 'get_repos_as_dict check'):