kallithea Changeset - 391fde4cbf12

Changeset - 391fde4cbf12

Parent rev.

Child rev.

[Not reviewed]

default

0 1 0

Mads Kiilerich - 7 years ago 2019-02-27 02:30:18
mads@kiilerich.com

base: escape branch/tag/bookmark names in 'Switch To' menu to prevent XSS

On repository pages, the 'Switch To' did not escape branches correctly.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks with
.html_escape() .

1 file changed with 2 insertions and 2 deletions:

kallithea/templates/base/base.html

0 comments (0 inline, 0 general)

kallithea/templates/base/base.html

➞

Show inline comments

@@ @@ -185,28 +185,28 @@ @@
     </div>
   </nav>
   <script type="text/javascript">
     $(document).ready(function() {
       var bcache = {};
       var branch_switcher_placeholder = '<i class="icon-exchange"></i>' + ${h.jshtml(_('Switch To'))} + ' <span class="caret"></span>';
       $("#branch_switcher").select2({
           placeholder: branch_switcher_placeholder,
           dropdownAutoWidth: true,
           sortResults: prefixFirstSort,
           formatResult: function(obj) {
               return obj.text;
+              return obj.text.html_escape();
           },
           formatSelection: function(obj) {
               return obj.text;
+              return obj.text.html_escape();
           },
           formatNoMatches: function(term) {
               return ${h.jshtml(_('No matches found'))};
           },
           escapeMarkup: function(m) {
               if (m == branch_switcher_placeholder)
                   return branch_switcher_placeholder;
               return Select2.util.escapeMarkup(m);
           },
           containerCssClass: "branch-switcher",
           dropdownCssClass: "repo-switcher-dropdown",
           query: function(query) {

0 comments (0 inline, 0 general)