Files @ a8d873e9cab0
Branch filter:

Location: kallithea/tox.ini - annotation

a8d873e9cab0 238 B text/x-ini Show Source Show as Raw Download as Raw
Thomas De Schampheleire
compare: prevent XSS due to unescaped branch/tag/bookmark names

In the revision selection dropdown of the 'Compare' functionality, the
branch/tag/bookmark names were not correctly escaped.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
2481c0a1ed31
768989c595aa
6a83b399bb3c
2481c0a1ed31
2481c0a1ed31
9c5e6984bd0e
9c5e6984bd0e
46662961d58d
dd676fdeda0f
dd676fdeda0f
b2195895bbd7
b2195895bbd7
46662961d58d
46662961d58d

[tox]
minversion = 1.8
envlist = py{26,27}-pytest

[testenv]
setenv =
    PYTHONHASHSEED = 0
deps =
    -r{toxinidir}/dev_requirements.txt
    py26-pytest: unittest2
    python-ldap
    python-pam
commands =
    pytest: py.test {posargs}
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.