# HG changeset patch # User Mads Kiilerich # Date 2019-02-27 02:23:26 # Node ID 22da5f2581183b5d085b8d0355e4bc852b988fba # Parent 74ec3a3bfdc7c8de5046bea923dc71fc1cafd0c4 pullrequests: prevent XSS in 'Potential Reviewers' list when first and last names cannot be trusted The user information passed to autocompleteFormatter from select2 is the raw data which might contain HTML markup controlled by the user. That could cause XSS issues, already when loading a PR page. To avoid that, make sure autocompleteHighlightMatch always escape user information. That makes the user safe as long as a rogue user isn't selected ... diff --git a/kallithea/public/js/base.js b/kallithea/public/js/base.js --- a/kallithea/public/js/base.js +++ b/kallithea/public/js/base.js @@ -1046,16 +1046,17 @@ var autocompleteMatchGroups = function ( return matches; }; -// Highlight the snippet if it is found in the full text. +// Highlight the snippet if it is found in the full text, while escaping any existing markup. // Snippet must be lowercased already. var autocompleteHighlightMatch = function (full, snippet) { var matchindex = full.toLowerCase().indexOf(snippet); if (matchindex <0) - return full; - return full.substring(0, matchindex) + return full.html_escape(); + return full.substring(0, matchindex).html_escape() + '' - + full.substr(matchindex, snippet.length) - + '' + full.substring(matchindex + snippet.length); + + full.substr(matchindex, snippet.length).html_escape() + + '' + + full.substring(matchindex + snippet.length).html_escape(); }; // Return html snippet for showing the provided gravatar url @@ -1081,7 +1082,7 @@ var autocompleteGravatar = function(res, return '

{0}{1}

'.format(elem, res); } -// Custom formatter to highlight the matching letters +// Custom formatter to highlight the matching letters and do HTML escaping var autocompleteFormatter = function (oResultData, sQuery, sResultMatch) { var query; if (sQuery && sQuery.toLowerCase) // YAHOO AutoComplete