Files
@ c9cfaeb1cdfe
Branch filter:
Location: kallithea/docs/index.rst - annotation
c9cfaeb1cdfe
1.1 KiB
text/prs.fallenstein.rst
tooltips: fix unsafe insertion of userdata into the DOM as html
This fixes js injection in the admin journal ... and probably also in other places.
Tooltips are used both with hardcoded strings (which is safe and simple) and
with user provided strings wrapped in html formatting (which requires careful
escaping before being put into the DOM as html). The templating will
automatically take care of one level of escaping, but here it requires two
levels to do it correctly ... and that was not always done correctly.
Instead, by default, just insert it into the DOM as text, not as html.
The few places where we know the tooltip contains safe html are handled
specially - the element is given the safe-html-title class. That is the case in
file annotation and in display of tip revision in repo lists.
This fixes js injection in the admin journal ... and probably also in other places.
Tooltips are used both with hardcoded strings (which is safe and simple) and
with user provided strings wrapped in html formatting (which requires careful
escaping before being put into the DOM as html). The templating will
automatically take care of one level of escaping, but here it requires two
levels to do it correctly ... and that was not always done correctly.
Instead, by default, just insert it into the DOM as text, not as html.
The few places where we know the tooltip contains safe html are handled
specially - the element is given the safe-html-title class. That is the case in
file annotation and in display of tip revision in repo lists.
5f481e4e888b 5f481e4e888b beb4cbf30d00 beb4cbf30d00 03bbd33bc084 03bbd33bc084 bdd1ddd05b7c 03bbd33bc084 03bbd33bc084 5f481e4e888b 03bbd33bc084 03bbd33bc084 03bbd33bc084 5f481e4e888b 5f481e4e888b 5f481e4e888b 5f481e4e888b 5f481e4e888b 64b1a2320bcb d95ea48af67b e69d34136be5 3389f272ece1 8b8edfc25856 bb35ad076e2f bb35ad076e2f bb35ad076e2f bb35ad076e2f bb35ad076e2f bbd499c7b55e 601282d36c06 aa17c7a1b8a5 bbd499c7b55e beb4cbf30d00 beb4cbf30d00 beb4cbf30d00 beb4cbf30d00 beb4cbf30d00 beb4cbf30d00 beb4cbf30d00 af371e206ec5 4d076981a7b1 aa90719e8520 4d076981a7b1 bb35ad076e2f bb35ad076e2f bb35ad076e2f bb35ad076e2f 8b8edfc25856 bb35ad076e2f 42a87338035a 5f481e4e888b bb35ad076e2f bb35ad076e2f bb35ad076e2f 9da24750f563 bb35ad076e2f b43a121f3137 b43a121f3137 8b8edfc25856 bb35ad076e2f 5f481e4e888b a60cd29ba7e2 5f481e4e888b 5f481e4e888b 5f481e4e888b 5f481e4e888b a60cd29ba7e2 5f481e4e888b 5f481e4e888b 5f481e4e888b 9472a0150bf0 5f481e4e888b a60cd29ba7e2 a60cd29ba7e2 a60cd29ba7e2 8b8edfc25856 | .. _index:
Kallithea Documentation
-----------------------
**Readme**
.. toctree::
:maxdepth: 1
readme
**Installation**
.. toctree::
:maxdepth: 1
installation
installation_win
installation_win_old
installation_iis
setup
**Usage**
.. toctree::
:maxdepth: 1
usage/general
usage/vcs_support
usage/locking
usage/statistics
**Administrators Guide**
.. toctree::
:maxdepth: 1
usage/performance
usage/backup
usage/debugging
usage/troubleshooting
**Develop**
.. toctree::
:maxdepth: 1
contributing
changelog
**API**
.. toctree::
:maxdepth: 1
api/api
api/models
Other topics
------------
* :ref:`genindex`
* :ref:`search`
.. _virtualenv: http://pypi.python.org/pypi/virtualenv
.. _python: http://www.python.org/
.. _django: http://www.djangoproject.com/
.. _mercurial: http://mercurial.selenic.com/
.. _bitbucket: http://bitbucket.org/
.. _subversion: http://subversion.tigris.org/
.. _git: http://git-scm.com/
.. _celery: http://celeryproject.org/
.. _Sphinx: http://sphinx.pocoo.org/
.. _vcs: http://pypi.python.org/pypi/vcs
|