# HG changeset patch
# User Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
# Date 2019-04-24 20:58:31
# Node ID b9b719fb477440488bc1a47c890b6d0d38a4ae76
# Parent  bfee46530202450faef7bd25c4f7abb8d1ff0cd1

search: fix XSS vulnerability in search results

The search feature did not correctly escape all arguments when displaying
search matches and linking to the corresponding files.

An attacker that can control the contents of a repository could thus cause
a cross-site scripting (XSS) vulnerability.

Fix the problem by removing the overall h.literal call that is only needed
for the HTML entity &raquo; and splitting the link instead.

We take the opportunity to improving the destination of the part before
&raquo; which is the path to the repository. Instead of pointing to the
search result, point to the repository itself.
The part after &raquo; remains linked to the file containing the search
match.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).

diff --git a/kallithea/templates/search/search_commit.html b/kallithea/templates/search/search_commit.html
--- a/kallithea/templates/search/search_commit.html
+++ b/kallithea/templates/search/search_commit.html
@@ -4,8 +4,9 @@
     %if h.HasRepoPermissionLevel('read')(sr['repository'],'search results check'):
         <div class="panel panel-default">
             <div class="panel-heading">
-                ${h.link_to(h.literal('%s &raquo; %s' % (sr['repository'],sr['raw_id'])),
-                    h.url('changeset_home',repo_name=sr['repository'],revision=sr['raw_id']))}
+                ${h.link_to(sr['repository'], h.url('summary_home', repo_name=sr['repository']))}
+                &raquo;
+                ${h.link_to(sr['raw_id'], h.url('changeset_home', repo_name=sr['repository'], revision=sr['raw_id']))}
                 ${h.fmt_date(h.time_to_datetime(sr['date']))}
             </div>
             <div class="panel-body">
diff --git a/kallithea/templates/search/search_content.html b/kallithea/templates/search/search_content.html
--- a/kallithea/templates/search/search_content.html
+++ b/kallithea/templates/search/search_content.html
@@ -4,8 +4,9 @@
     %if h.HasRepoPermissionLevel('read')(sr['repository'],'search results check'):
         <div class="panel panel-default">
             <div class="panel-heading">
-                ${h.link_to(h.literal('%s &raquo; %s' % (sr['repository'],sr['f_path'])),
-                    h.url('files_home',repo_name=sr['repository'],revision='tip',f_path=sr['f_path']))}
+                ${h.link_to(sr['repository'], h.url('summary_home', repo_name=sr['repository']))}
+                &raquo;
+                ${h.link_to(sr['f_path'], h.url('files_home', repo_name=sr['repository'], revision='tip', f_path=sr['f_path']))}
             </div>
             <div class="panel-body search-code-body">
                 <pre>${h.literal(sr['content_short_hl'])}</pre>
diff --git a/kallithea/templates/search/search_path.html b/kallithea/templates/search/search_path.html
--- a/kallithea/templates/search/search_path.html
+++ b/kallithea/templates/search/search_path.html
@@ -4,8 +4,9 @@
     %if h.HasRepoPermissionLevel('read')(sr['repository'],'search results check'):
         <div class="panel panel-default">
             <div class="panel-heading">
-                ${h.link_to(h.literal('%s &raquo; %s' % (sr['repository'],sr['f_path'])),
-                    h.url('files_home',repo_name=sr['repository'],revision='tip',f_path=sr['f_path']))}
+                ${h.link_to(sr['repository'], h.url('summary_home', repo_name=sr['repository']))}
+                &raquo;
+                ${h.link_to(sr['f_path'], h.url('files_home', repo_name=sr['repository'], revision='tip', f_path=sr['f_path']))}
             </div>
         </div>
     %else: