# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 2019-02-27 02:30:18
# Node ID 391fde4cbf12ccf714af9e4658dca5ca18817f53
# Parent  109b068ba6e5efc80b4479a2dc7b6c2edd259b57

base: escape branch/tag/bookmark names in 'Switch To' menu to prevent XSS

On repository pages, the 'Switch To' did not escape branches correctly.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks with
.html_escape() .

diff --git a/kallithea/templates/base/base.html b/kallithea/templates/base/base.html
--- a/kallithea/templates/base/base.html
+++ b/kallithea/templates/base/base.html
@@ -194,10 +194,10 @@
           dropdownAutoWidth: true,
           sortResults: prefixFirstSort,
           formatResult: function(obj) {
-              return obj.text;
+              return obj.text.html_escape();
           },
           formatSelection: function(obj) {
-              return obj.text;
+              return obj.text.html_escape();
           },
           formatNoMatches: function(term) {
               return ${h.jshtml(_('No matches found'))};