# HG changeset patch
# User Andrew Shadura <andrew@shadura.me>
# Date 2015-01-14 17:45:22
# Node ID 61d7fffbdf52c3c04276c702981c2373c012faa7
# Parent  46c6eb7f1d663dbb3c2b02c8be4872d79698a3c8

templates: fix HTML injection via file names

diff --git a/kallithea/templates/files/files_browser.html b/kallithea/templates/files/files_browser.html
--- a/kallithea/templates/files/files_browser.html
+++ b/kallithea/templates/files/files_browser.html
@@ -22,7 +22,7 @@
         elif node.is_submodule():
             c = "icon-file-submodule"
     %>
-    <%return h.literal('<i class="%s"></i><span>%s</span>' % (c, node.name))%>
+    <%return h.literal('<i class="%s"></i><span>%s</span>' % (c, h.escape(node.name)))%>
 </%def>
 <div id="body" class="browserblock">
     <div class="browser-header">