Files
@ 9beef1d91c4c
Branch filter:
Location: kallithea/scripts/generate-ini.py - annotation
9beef1d91c4c
2.0 KiB
text/x-python
pullrequests: prevent XSS when 'Potential Reviewers' are selected and first and last names cannot be trusted
The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.
That could cause XSS issues, already when adding rogue users as reviewers on a PR.
To avoid that, make sure select2 use the default escapeMarkup function. In
addReviewMember, use .html_escape when expanding the reviewer template.
The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.
That could cause XSS issues, already when adding rogue users as reviewers on a PR.
To avoid that, make sure select2 use the default escapeMarkup function. In
addReviewMember, use .html_escape when expanding the reviewer template.
06d5c043e989 06d5c043e989 451b3f9d814e 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 e3cce237d77c e3cce237d77c 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 fc6b1b0e1096 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 94f6b23e52d0 06d5c043e989 665dfa112f2c 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 665dfa112f2c 06d5c043e989 06d5c043e989 d06039dc4ca2 06d5c043e989 94f6b23e52d0 94f6b23e52d0 06d5c043e989 06d5c043e989 06d5c043e989 | #!/usr/bin/env python2
"""
Based on kallithea/lib/paster_commands/template.ini.mako, generate development.ini
"""
import re
from kallithea.lib import inifile
# files to be generated from the mako template
ini_files = [
('development.ini',
{
'[server:main]': {
'host': '0.0.0.0',
},
'[app:main]': {
'debug': 'true',
'app_instance_uuid': 'development-not-secret',
'beaker.session.secret': 'development-not-secret',
},
'[handler_console]': {
'formatter': 'color_formatter',
},
'[handler_console_sql]': {
'formatter': 'color_formatter_sql',
},
'[logger_routes]': {
'level': 'DEBUG',
},
'[logger_beaker]': {
'level': 'DEBUG',
},
'[logger_templates]': {
'level': 'INFO',
},
'[logger_kallithea]': {
'level': 'DEBUG',
},
'[logger_tg]': {
'level': 'DEBUG',
},
'[logger_gearbox]': {
'level': 'DEBUG',
},
'[logger_whoosh_indexer]': {
'level': 'DEBUG',
},
},
),
]
def main():
# make sure all mako lines starting with '#' (the '##' comments) are marked up as <text>
makofile = inifile.template_file
print 'reading:', makofile
mako_org = open(makofile).read()
mako_no_text_markup = re.sub(r'</?%text>', '', mako_org)
mako_marked_up = re.sub(r'\n(##.*)', r'\n<%text>\1</%text>', mako_no_text_markup, flags=re.MULTILINE)
if mako_marked_up != mako_org:
print 'writing:', makofile
open(makofile, 'w').write(mako_marked_up)
# create ini files
for fn, settings in ini_files:
print 'updating:', fn
inifile.create(fn, None, settings)
if __name__ == '__main__':
main()
|