kallithea Changeset - 391fde4cbf12

Changeset - 391fde4cbf12

Parent rev.

Child rev.

[Not reviewed]

default

0 1 0

Mads Kiilerich - 7 years ago 2019-02-27 02:30:18
mads@kiilerich.com

base: escape branch/tag/bookmark names in 'Switch To' menu to prevent XSS

On repository pages, the 'Switch To' did not escape branches correctly.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks with
.html_escape() .

1 file changed with 2 insertions and 2 deletions:

kallithea/templates/base/base.html

0 comments (0 inline, 0 general)

kallithea/templates/base/base.html

➞

Show inline comments

@@ @@ -173,52 +173,52 @@ @@
                    <a href="#" class="${'following' if c.repository_following else 'follow'}" onclick="toggleFollowingRepo(this, ${c.db_repo.repo_id});">
                     <span class="show-follow"><i class="icon-heart-empty"></i>${_('Follow')}</span>
                     <span class="show-following"><i class="icon-heart"></i>${_('Unfollow')}</span>
                    </a>
                   </li>
                   <li><a href="${h.url('repo_fork_home',repo_name=c.repo_name)}"><i class="icon-git-pull-request"></i>${_('Fork')}</a></li>
                   <li><a href="${h.url('pullrequest_home',repo_name=c.repo_name)}"><i class="icon-git-pull-request"></i>${_('Create Pull Request')}</a></li>
               %endif
              </ul>
         </li>
     </ul>
     </div>
     </div>
   </nav>
   <script type="text/javascript">
     $(document).ready(function() {
       var bcache = {};
       var branch_switcher_placeholder = '<i class="icon-exchange"></i>' + ${h.jshtml(_('Switch To'))} + ' <span class="caret"></span>';
       $("#branch_switcher").select2({
           placeholder: branch_switcher_placeholder,
           dropdownAutoWidth: true,
           sortResults: prefixFirstSort,
           formatResult: function(obj) {
               return obj.text;
+              return obj.text.html_escape();
           },
           formatSelection: function(obj) {
               return obj.text;
+              return obj.text.html_escape();
           },
           formatNoMatches: function(term) {
               return ${h.jshtml(_('No matches found'))};
           },
           escapeMarkup: function(m) {
               if (m == branch_switcher_placeholder)
                   return branch_switcher_placeholder;
               return Select2.util.escapeMarkup(m);
           },
           containerCssClass: "branch-switcher",
           dropdownCssClass: "repo-switcher-dropdown",
           query: function(query) {
               var key = 'cache';
               var cached = bcache[key];
               if (cached) {
                   var data = {
                       results: []
                   };
                   // filter results
                   $.each(cached.results, function() {
                       var section = this.text;
                       var children = [];
                       $.each(this.children, function() {
                           if (query.term.length === 0 || this.text.toUpperCase().indexOf(query.term.toUpperCase()) >= 0) {

0 comments (0 inline, 0 general)