Changeset - 61d7fffbdf52
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Andrew Shadura - 11 years ago 2015-01-14 17:45:22
andrew@shadura.me
templates: fix HTML injection via file names
1 file changed with 1 insertions and 1 deletions:
kallithea/templates/files/files_browser.html
1
1
0 comments (0 inline, 0 general)
kallithea/templates/files/files_browser.html
Show inline comments
 
@@ -13,25 +13,25 @@
 
    %else:
 
        <%return h.url('files_home', repo_name=c.repo_name, revision=c.changeset.raw_id, f_path=h.safe_unicode(node.path))%>
 
    %endif
 
</%def>
 
<%def name="file_name(node)">
 
    <%
 
        c = "icon-folder-open"
 
        if node.is_file():
 
            c = "icon-doc"
 
        elif node.is_submodule():
 
            c = "icon-file-submodule"
 
    %>
 
    <%return h.literal('<i class="%s"></i><span>%s</span>' % (c, node.name))%>
 
    <%return h.literal('<i class="%s"></i><span>%s</span>' % (c, h.escape(node.name)))%>
 
</%def>
 
<div id="body" class="browserblock">
 
    <div class="browser-header">
 
        <div class="browser-nav">
 
            ${h.form(h.url.current())}
 
            <div class="info_box">
 
              <div class="info_box_elem rev">${_('revision')}</div>
 
              <div class="info_box_elem"><a class="btn btn-mini ypjax-link" href="${c.url_prev}" title="${_('Previous revision')}"><i class="icon-left-open"></i></a></div>
 
              <div class="info_box_elem">${h.text('at_rev',value=c.changeset.revision,size=5)}</div>
 
              <div class="info_box_elem"><a class="btn btn-mini ypjax-link" href="${c.url_next}" title="${_('Next revision')}"><i class="icon-right-open"></i></a></div>
 
            </div>
 
            ${h.end_form()}
0 comments (0 inline, 0 general)
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.