# HG changeset patch
# User Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
# Date 2019-04-19 20:54:46
# Node ID ddad3be4dc44901c784e4e721abd91a639af4a11
# Parent  b9b719fb477440488bc1a47c890b6d0d38a4ae76

changeset: fix XSS vulnerability in parent-child navigation

The 'Parent Rev.' - 'Child Rev.' links on changesets and in the file browser
normally immediately jump to the correct revision upon click. But, if there
are multiple candidates, e.g. two children of a commit, then a list of
revisions is shown as hyperlinks instead.

These hyperlinks have a 'title' attribute containing the full commit message
of the corresponding commit. When this commit message contains characters
special to HTML, like ", >, etc. they were added literally to the HTML code.

This can lead to a cross-site scripting (XSS) vulnerability when an attacker
has write access to a repository. They could craft a special commit message
that would introduce HTML and/or JavaScript code when the commit is listed
in such 'parent-child' navigation links.

Escape the commit message before using it further.

diff --git a/kallithea/public/js/base.js b/kallithea/public/js/base.js
--- a/kallithea/public/js/base.js
+++ b/kallithea/public/js/base.js
@@ -1493,7 +1493,7 @@ var activate_parent_child_links = functi
                         for(var i = 0; i < data.results.length; i++){
                             _html.push(template
                                 .replace('__rev__', 'r{0}:{1}'.format(data.results[i].revision, data.results[i].raw_id.substr(0, 6)))
-                                .replace('__title__', data.results[i].message)
+                                .replace('__title__', data.results[i].message.html_escape())
                                 .replace('__url__', pyroutes.url('changeset_home', {
                                     'repo_name': repo_name,
                                     'revision': data.results[i].raw_id}))