Changeset - 04e44ea05c5f
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Thomas De Schampheleire - 7 years ago 2019-02-26 21:27:42
thomas.de_schampheleire@nokia.com
compare: prevent XSS due to unescaped branch/tag/bookmark names

In the revision selection dropdown of the 'Compare' functionality, the
branch/tag/bookmark names were not correctly escaped.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks.
1 file changed with 1 insertions and 1 deletions:
kallithea/templates/compare/compare_diff.html
1
1
0 comments (0 inline, 0 general)
kallithea/templates/compare/compare_diff.html
Show inline comments
 
@@ -80,49 +80,49 @@ ${self.repo_context_bar('changelog')}
 
         </div>
 

			




	
	
	
		
 
        ## diff block

			




	
	
	
		
 
        <%namespace name="diff_block" file="/changeset/diff_block.html"/>

			




	
	
	
		
 
        ${diff_block.diff_block_js()}

			




	
	
	
		
 
        %for fid, change, f, stat in c.files:

			




	
	
	
		
 
          ${diff_block.diff_block_simple([c.changes[fid]])}

			




	
	
	
		
 
        %endfor

			




	
	
	
		
 
        % if c.limited_diff:

			




	
	
	
		
 
          <h4>${_('Changeset was too big and was cut off...')} <a href="${h.url.current(fulldiff=1, **request.GET.mixed())}">${_('Show full diff')}</a></h4>

			




	
	
	
		
 
        % endif

			




	
	
	
		
 
    %endif

			




	
	
	
		
 
    </div>

			




	
	
	
		
 

			




	
	
	
		
 
</div>

			




	
	
	
		
 
    <script type="text/javascript">

			




	
	
	
		
 

			




	
	
	
		
 
   $(document).ready(function(){

			




	
	
	
		
 
    var cache = {};

			




	
	
	
		
 

			




	
	
	
		
 
    function make_revision_dropdown(css_selector, placeholder, repo_name, cache_key) {

			




	
	
	
		
 
      $(css_selector).select2({

			




	
	
	
		
 
        placeholder: placeholder,

			




	
	
	
		
 
        formatSelection: function(obj){

			




	
	
	
		
 
            return '{0}@{1}'.format(repo_name, obj.text);

			




	
	
	
		
 
            return '{0}@{1}'.format(repo_name, obj.text).html_escape();

			




	
	
	
		
 
        },

			




	
	
	
		
 
        dropdownAutoWidth: true,

			




	
	
	
		
 
        query: function(query){

			




	
	
	
		
 
          var key = cache_key;

			




	
	
	
		
 
          var cached = cache[key] ;

			




	
	
	
		
 
          if(cached) {

			




	
	
	
		
 
            var data = {results: []};

			




	
	
	
		
 
            //filter results

			




	
	
	
		
 
            $.each(cached.results, function(){

			




	
	
	
		
 
                var section = this.text;

			




	
	
	
		
 
                var children = [];

			




	
	
	
		
 
                $.each(this.children, function(){

			




	
	
	
		
 
                    if(query.term.length == 0 || this.text.toUpperCase().indexOf(query.term.toUpperCase()) >= 0 ){

			




	
	
	
		
 
                        children.push(this);

			




	
	
	
		
 
                    }

			




	
	
	
		
 
                });

			




	
	
	
		
 
                data.results.push({'text': section, 'children': children});

			




	
	
	
		
 
            });

			




	
	
	
		
 
            //push the typed in changeset

			




	
	
	
		
 
            data.results.push({'text':_TM['Specify changeset'],

			




	
	
	
		
 
                               'children': [{'id': query.term, 'text': query.term, 'type': 'rev'}]});

			




	
	
	
		
 
            query.callback(data);

			




	
	
	
		
 
          }else{

			




	
	
	
		
 
              $.ajax({

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.