# HG changeset patch
# User Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
# Date 2019-02-26 21:27:42
# Node ID a8d873e9cab0cc05b70acc98545f1da7427371ee
# Parent  391fde4cbf12ccf714af9e4658dca5ca18817f53

compare: prevent XSS due to unescaped branch/tag/bookmark names

In the revision selection dropdown of the 'Compare' functionality, the
branch/tag/bookmark names were not correctly escaped.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks.

diff --git a/kallithea/templates/compare/compare_diff.html b/kallithea/templates/compare/compare_diff.html
--- a/kallithea/templates/compare/compare_diff.html
+++ b/kallithea/templates/compare/compare_diff.html
@@ -107,7 +107,7 @@ ${self.repo_context_bar('changelog')}
       $(css_selector).select2({
         placeholder: '{0}@{1}'.format(repo_name, ref_name || ${h.jshtml(_('Select changeset'))}),
         formatSelection: function(obj){
-            return '{0}@{1}'.format(repo_name, obj.text);
+            return '{0}@{1}'.format(repo_name, obj.text).html_escape();
         },
         dropdownAutoWidth: true,
         maxResults: 50,