# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 2019-02-27 02:23:26
# Node ID 429c2c8a4354b92c1ce699755d798ea773019a12
# Parent  9beef1d91c4cd2455d2d796eec19f8a068a4468c

pullrequests: prevent XSS in @mention completion when first and last names cannot be trusted

atwho used in MentionsAutoComplete is passing raw user controlled data which
might contain HTML markup.

That could cause XSS issues when completion hit a rogue user name.

To avoid that, make sure displayTpl always escape user information, as
recommended in https://github.com/ichord/At.js/issues/334 .

diff --git a/kallithea/public/js/base.js b/kallithea/public/js/base.js
--- a/kallithea/public/js/base.js
+++ b/kallithea/public/js/base.js
@@ -1198,7 +1198,13 @@ var MentionsAutoComplete = function ($in
         return items;
       }
     },
-    displayTpl: "<li>" + autocompleteGravatar('${fname} ${lname} (${nname})', '${gravatar_lnk}', 16) + "</li>",
+    displayTpl: function(item) {
+        return "<li>" +
+            autocompleteGravatar(
+                "{0} {1} ({2})".format(item.fname, item.lname, item.nname).html_escape(),
+                '${gravatar_lnk}', 16) +
+            "</li>";
+    },
     insertTpl: "${atwho-at}${nname}"
   });
 };