Mercurial > kallithea

changeset 8499:df930758dcf7 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
repos: extra HTML escaping of repo and repo group names shown in DataTables These names will already have been "slugged" and can thus not contain anything that can be used for any attack. But let's be explicitly safe and escape them anyway. raw_name without escaping would cause XSS *if* it was possible to create unsafe repo names. just_name must be escaped in order to make search work correctly - for example if searching for '<' ... *if* it was possible for names to contain that.
author Mads Kiilerich <mads@kiilerich.com>
date Wed, 11 Nov 2020 16:45:42 +0100
parents cd8fa11c5c89
children 48b9fdef5e7f
files kallithea/controllers/admin/repo_groups.py kallithea/model/repo.py
diffstat 2 files changed, 5 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/controllers/admin/repo_groups.py	Tue Nov 10 11:30:16 2020 +0100
+++ b/kallithea/controllers/admin/repo_groups.py	Wed Nov 11 16:45:42 2020 +0100
@@ -117,7 +117,7 @@
             children_groups = [g.name for g in repo_gr.parents] + [repo_gr.name]
             repo_count = repo_gr.repositories.count()
             repo_groups_data.append({
-                "raw_name": repo_gr.group_name,
+                "raw_name": h.escape(repo_gr.group_name),
                 "group_name": repo_group_name(repo_gr.group_name, children_groups),
                 "desc": h.escape(repo_gr.group_description),
                 "repos": repo_count,
--- a/kallithea/model/repo.py	Tue Nov 10 11:30:16 2020 +0100
+++ b/kallithea/model/repo.py	Wed Nov 11 16:45:42 2020 +0100
@@ -168,8 +168,8 @@
 
         for gr in repo_groups_list or []:
             repos_data.append(dict(
-                raw_name='\0' + gr.name, # sort before repositories
-                just_name=gr.name,
+                raw_name='\0' + h.html_escape(gr.name), # sort before repositories
+                just_name=h.html_escape(gr.name),
                 name=_render('group_name_html', group_name=gr.group_name, name=gr.name),
                 desc=desc(gr.group_description)))
 
@@ -178,8 +178,8 @@
                 continue
             cs_cache = repo.changeset_cache
             row = {
-                "raw_name": repo.repo_name,
-                "just_name": repo.just_name,
+                "raw_name": h.html_escape(repo.repo_name),
+                "just_name": h.html_escape(repo.just_name),
                 "name": repo_lnk(repo.repo_name, repo.repo_type,
                                  repo.repo_state, repo.private, repo.fork),
                 "following": following(