changeset: fix XSS vulnerability in parent-child navigation The 'Parent Rev.' - 'Child Rev.' links on changesets and in the file browser normally immediately jump to the correct revision upon click. But, if there are multiple candidates, e.g. two children of a commit, then a list of revisions is shown as hyperlinks instead. These hyperlinks have a 'title' attribute containing the full commit message of the corresponding commit. When this commit message contains characters special to HTML, like ", >, etc. they were added literally to the HTML code. This can lead to a cross-site scripting (XSS) vulnerability when an attacker has write access to a repository. They could craft a special commit message that would introduce HTML and/or JavaScript code when the commit is listed in such 'parent-child' navigation links. Escape the commit message before using it further.

--- a/kallithea/public/js/base.js	Wed Apr 24 20:58:31 2019 +0200
+++ b/kallithea/public/js/base.js	Fri Apr 19 20:54:46 2019 +0200
@@ -1493,7 +1493,7 @@
                         for(var i = 0; i < data.results.length; i++){
                             _html.push(template
                                 .replace('__rev__', 'r{0}:{1}'.format(data.results[i].revision, data.results[i].raw_id.substr(0, 6)))
-                                .replace('__title__', data.results[i].message)
+                                .replace('__title__', data.results[i].message.html_escape())
                                 .replace('__url__', pyroutes.url('changeset_home', {
                                     'repo_name': repo_name,
                                     'revision': data.results[i].raw_id}))