diff --git a/kallithea/controllers/admin/repo_groups.py b/kallithea/controllers/admin/repo_groups.py
--- a/kallithea/controllers/admin/repo_groups.py
+++ b/kallithea/controllers/admin/repo_groups.py
@@ -144,7 +144,7 @@ class RepoGroupsController(BaseControlle
repo_groups_data.append({
"raw_name": repo_gr.group_name,
"group_name": repo_group_name(repo_gr.group_name, children_groups),
- "desc": repo_gr.group_description,
+ "desc": h.escape(repo_gr.group_description),
"repos": repo_count,
"owner": h.person(repo_gr.user),
"action": repo_group_actions(repo_gr.group_id, repo_gr.group_name,
diff --git a/kallithea/controllers/admin/user_groups.py b/kallithea/controllers/admin/user_groups.py
--- a/kallithea/controllers/admin/user_groups.py
+++ b/kallithea/controllers/admin/user_groups.py
@@ -113,7 +113,7 @@ class UserGroupsController(BaseControlle
"raw_name": user_gr.users_group_name,
"group_name": user_group_name(user_gr.users_group_id,
user_gr.users_group_name),
- "desc": user_gr.user_group_description,
+ "desc": h.escape(user_gr.user_group_description),
"members": len(user_gr.members),
"active": h.boolicon(user_gr.users_group_active),
"owner": h.person(user_gr.user.username),
diff --git a/kallithea/controllers/admin/users.py b/kallithea/controllers/admin/users.py
--- a/kallithea/controllers/admin/users.py
+++ b/kallithea/controllers/admin/users.py
@@ -96,8 +96,8 @@ class UsersController(BaseController):
"gravatar": grav_tmpl % h.gravatar(user.email, size=20),
"raw_name": user.username,
"username": username(user.user_id, user.username),
- "firstname": user.name,
- "lastname": user.lastname,
+ "firstname": h.escape(user.name),
+ "lastname": h.escape(user.lastname),
"last_login": h.fmt_date(user.last_login),
"last_login_raw": datetime_to_time(user.last_login),
"active": h.boolicon(user.active),
diff --git a/kallithea/model/repo.py b/kallithea/model/repo.py
--- a/kallithea/model/repo.py
+++ b/kallithea/model/repo.py
@@ -138,8 +138,8 @@ class RepoModel(BaseModel):
return json.dumps([
{
'id': u.user_id,
- 'fname': u.name,
- 'lname': u.lastname,
+ 'fname': h.escape(u.name),
+ 'lname': h.escape(u.lastname),
'nname': u.username,
'gravatar_lnk': h.gravatar_url(u.email, size=28),
'gravatar_size': 14,
@@ -210,9 +210,9 @@ class RepoModel(BaseModel):
def desc(desc):
if c.visual.stylify_metatags:
- return h.urlify_text(h.desc_stylize(h.truncate(desc, 60)))
+ return h.urlify_text(h.desc_stylize(h.escape(h.truncate(desc, 60))))
else:
- return h.urlify_text(h.truncate(desc, 60))
+ return h.urlify_text(h.escape(h.truncate(desc, 60)))
def state(repo_state):
return _render("repo_state", repo_state)
diff --git a/kallithea/templates/summary/summary.html b/kallithea/templates/summary/summary.html
--- a/kallithea/templates/summary/summary.html
+++ b/kallithea/templates/summary/summary.html
@@ -85,9 +85,9 @@ summary = lambda n:{False:'summary-short
%if c.visual.stylify_metatags:
- ${h.urlify_text(h.desc_stylize(c.db_repo.description))}
+ ${h.urlify_text(h.desc_stylize(h.escape(c.db_repo.description)))}
%else:
- ${h.urlify_text(c.db_repo.description)}
+ ${h.urlify_text(h.escape(c.db_repo.description))}
%endif