# HG changeset patch
# User Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
# Date 2019-02-26 21:27:42
# Node ID 04e44ea05c5fee8744879daf5b2c2e29051f8960
# Parent  c9bd000a45675b1029fa19fd25b3db2c37169560

compare: prevent XSS due to unescaped branch/tag/bookmark names

In the revision selection dropdown of the 'Compare' functionality, the
branch/tag/bookmark names were not correctly escaped.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks.

diff --git a/kallithea/templates/compare/compare_diff.html b/kallithea/templates/compare/compare_diff.html
--- a/kallithea/templates/compare/compare_diff.html
+++ b/kallithea/templates/compare/compare_diff.html
@@ -101,7 +101,7 @@ ${self.repo_context_bar('changelog')}
       $(css_selector).select2({
         placeholder: placeholder,
         formatSelection: function(obj){
-            return '{0}@{1}'.format(repo_name, obj.text);
+            return '{0}@{1}'.format(repo_name, obj.text).html_escape();
         },
         dropdownAutoWidth: true,
         query: function(query){