Files @ 391fde4cbf12
Branch filter:

Location: kallithea/docs/api/models.rst - annotation

391fde4cbf12 573 B text/prs.fallenstein.rst Show Source Show as Raw Download as Raw
Mads Kiilerich
base: escape branch/tag/bookmark names in 'Switch To' menu to prevent XSS

On repository pages, the 'Switch To' did not escape branches correctly.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks with
.html_escape() .
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
64a5386216c5
bb35ad076e2f
17c9393e9645
22a3fa3c4254
bb35ad076e2f
bb35ad076e2f
7e5f8c12a3fc
bb35ad076e2f
8b8edfc25856
7e5f8c12a3fc
9da24750f563
8b8edfc25856
7e5f8c12a3fc
bb35ad076e2f
9da24750f563
7e5f8c12a3fc
8b8edfc25856
9da24750f563
7e5f8c12a3fc
8b8edfc25856
bb35ad076e2f
499c513967a1
9da24750f563
8b8edfc25856
7e5f8c12a3fc
bb35ad076e2f
8b8edfc25856
7e5f8c12a3fc
8b8edfc25856
8b8edfc25856
499c513967a1
8b8edfc25856

.. _models:

========================
The :mod:`models` module
========================

.. automodule:: kallithea.model
   :members:

.. automodule:: kallithea.model.comment
   :members:

.. automodule:: kallithea.model.permission
   :members:

.. automodule:: kallithea.model.repo_permission
   :members:

.. automodule:: kallithea.model.repo
   :members:

.. automodule:: kallithea.model.repo_group
   :members:

.. automodule:: kallithea.model.scm
   :members:

.. automodule:: kallithea.model.user
   :members:

.. automodule:: kallithea.model.user_group
   :members:
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.