Changeset - 48b9fdef5e7f
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Mads Kiilerich - 5 years ago 2020-11-11 17:03:40
mads@kiilerich.com
repo_groups: extra escape of names when used in select drop-downs

The lack of escaping could be a problem *if* it was possible to create repo
groups with dangerous names.

This was seen for example when specifying parent group of repos and repo
groups.

We want to keep groups_choices as HTML literals so paths can use » as
separator.
1 file changed with 2 insertions and 1 deletions:
kallithea/model/db.py
2
1
0 comments (0 inline, 0 general)
kallithea/model/db.py
Show inline comments
 
@@ -1407,9 +1407,10 @@ class RepoGroup(Base, BaseDbModel):
 
    def _generate_choice(cls, repo_group):
 
        """Return tuple with group_id and name as html literal"""
 
        from webhelpers2.html import literal
 
        import kallithea.lib.helpers as h
 
        if repo_group is None:
 
            return (-1, '-- %s --' % _('top level'))
 
        return repo_group.group_id, literal(cls.SEP.join(repo_group.full_path_splitted))
 
        return repo_group.group_id, literal(cls.SEP.join(h.html_escape(x) for x in repo_group.full_path_splitted))
 

			




	
	
	
		
 
    @classmethod

			




	
	
	
		
 
    def groups_choices(cls, groups):

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.