Files
@ 9beef1d91c4c
Branch filter:
Location: kallithea/MANIFEST.in - annotation
9beef1d91c4c
1.1 KiB
text/plain
pullrequests: prevent XSS when 'Potential Reviewers' are selected and first and last names cannot be trusted
The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.
That could cause XSS issues, already when adding rogue users as reviewers on a PR.
To avoid that, make sure select2 use the default escapeMarkup function. In
addReviewMember, use .html_escape when expanding the reviewer template.
The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.
That could cause XSS issues, already when adding rogue users as reviewers on a PR.
To avoid that, make sure select2 use the default escapeMarkup function. In
addReviewMember, use .html_escape when expanding the reviewer template.
8cea7986ed79 ff08d3cf9aef ff08d3cf9aef ff08d3cf9aef 8cea7986ed79 ff08d3cf9aef ff08d3cf9aef ff08d3cf9aef ff08d3cf9aef 8cea7986ed79 ff08d3cf9aef 8cea7986ed79 8cea7986ed79 8cea7986ed79 2d7a94f3eaae 0e6035a85980 7894a440e134 ff08d3cf9aef 8cea7986ed79 19a9f02443c8 ff08d3cf9aef ff08d3cf9aef 7e5f8c12a3fc ff08d3cf9aef ff08d3cf9aef 8cea7986ed79 8cea7986ed79 ff08d3cf9aef 8cea7986ed79 | include .coveragerc
include Apache-License-2.0.txt
include CONTRIBUTORS
include COPYING
include Jenkinsfile
include LICENSE-MERGELY.html
include LICENSE.md
include MIT-Permissive-License.txt
include README.rst
include dev_requirements.txt
include development.ini
include pytest.ini
include requirements.txt
include tox.ini
recursive-include docs *
recursive-include init.d *
recursive-include kallithea/alembic *
include kallithea/bin/ldap_sync.conf
include kallithea/lib/paster_commands/template.ini.mako
recursive-include kallithea/front-end *
recursive-include kallithea/i18n *
recursive-include kallithea/public *
recursive-include kallithea/templates *
recursive-include kallithea/tests/fixtures *
recursive-include kallithea/tests/scripts *
include kallithea/tests/models/test_dump_html_mails.ref.html
include kallithea/tests/performance/test_vcs.py
include kallithea/tests/vcs/aconfig
recursive-include scripts *
|