kallithea Changeset - ddad3be4dc44

Changeset - ddad3be4dc44

Parent rev.

Child rev.

[Not reviewed]

stable

0 1 0

Thomas De Schampheleire - 7 years ago 2019-04-19 20:54:46
thomas.de_schampheleire@nokia.com

changeset: fix XSS vulnerability in parent-child navigation

The 'Parent Rev.' - 'Child Rev.' links on changesets and in the file browser
normally immediately jump to the correct revision upon click. But, if there
are multiple candidates, e.g. two children of a commit, then a list of
revisions is shown as hyperlinks instead.

These hyperlinks have a 'title' attribute containing the full commit message
of the corresponding commit. When this commit message contains characters
special to HTML, like ", >, etc. they were added literally to the HTML code.

This can lead to a cross-site scripting (XSS) vulnerability when an attacker
has write access to a repository. They could craft a special commit message
that would introduce HTML and/or JavaScript code when the commit is listed
in such 'parent-child' navigation links.

Escape the commit message before using it further.

1 file changed with 1 insertions and 1 deletions:

kallithea/public/js/base.js

0 comments (0 inline, 0 general)

kallithea/public/js/base.js

➞

Show inline comments

@@ @@ -728,782 +728,782 @@ function _comment_div_append_form($comme @@
         var success = function(json_data) {
             if (pr_delete) {
                 location = json_data['location'];
             } else {
                 $comment_div.append(json_data['rendered_text']);
                 comment_div_state($comment_div, f_path, line_no);
                 linkInlineComments($('.firstlink'), $('.comment:first-child'));
                 if ((review_status || pr_close) && !f_path && !line_no) {
                     // Page changed a lot - reload it after closing the submitted form
                     comment_div_state($comment_div, f_path, line_no, false);
                     location.reload(true);
+                }
+            }
         };
         var failure = function(x, s, e) {
             $preview.removeClass('submitting').addClass('failed');
             var $status = $preview.find('.comment-submission-status');
             $('<span>', {
                 'title': e,
                 text: _TM['Unable to post']
             }).replaceAll($status.contents());
             $('<div>', {
                 'class': 'btn-group'
             }).append(
                 $('<button>', {
                     'class': 'btn btn-default btn-xs',
                     text: _TM['Retry']
                 }).click(function() {
                     $status.text(_TM['Submitting ...']);
                     $preview.addClass('submitting').removeClass('failed');
                     ajaxPOST(AJAX_COMMENT_URL, postData, success, failure);
                 }),
                 $('<button>', {
                     'class': 'btn btn-default btn-xs',
                     text: _TM['Cancel']
                 }).click(function() {
                     comment_div_state($comment_div, f_path, line_no);
                 })
             ).appendTo($status);
         };
         ajaxPOST(AJAX_COMMENT_URL, postData, success, failure);
     });
     // add event handler for hide/cancel buttons
     $form.find('.hide-inline-form').click(function(e) {
         comment_div_state($comment_div, f_path, line_no);
     });
     tooltip_activate();
     if ($textarea.length > 0) {
         MentionsAutoComplete($textarea);
+    }
     if (f_path) {
         $textarea.focus();
+    }
+}
 function deleteComment(comment_id) {
     var url = AJAX_COMMENT_DELETE_URL.replace('__COMMENT_ID__', comment_id);
     var postData = {};
     var success = function(o) {
         $('#comment-'+comment_id).remove();
         // Ignore that this might leave a stray Add button (or have a pending form with another comment) ...
+    }
     ajaxPOST(url, postData, success);
+}
 /**
  * Double link comments
  */
 var linkInlineComments = function($firstlinks, $comments){
     if ($comments.length > 0) {
         $firstlinks.html('<a href="#{0}">First comment</a>'.format($comments.prop('id')));
+    }
     if ($comments.length <= 1) {
         return;
+    }
     $comments.each(function(i, e){
             var prev = '';
             if (i > 0){
                 var prev_anchor = $($comments.get(i-1)).prop('id');
                 prev = '<a href="#{0}">Previous comment</a>'.format(prev_anchor);
+            }
             var next = '';
             if (i+1 < $comments.length){
                 var next_anchor = $($comments.get(i+1)).prop('id');
                 next = '<a href="#{0}">Next comment</a>'.format(next_anchor);
+            }
             $(this).find('.comment-prev-next-links').html(
                 '<div class="prev-comment">{0}</div>'.format(prev) +
                 '<div class="next-comment">{0}</div>'.format(next));
         });
+}
 /* activate files.html stuff */
 var fileBrowserListeners = function(node_list_url, url_base){
     var $node_filter = $('#node_filter');
     var filterTimeout = null;
     var nodes = null;
     var initFilter = function(){
         $('#node_filter_box_loading').show();
         $('#search_activate_id').hide();
         $('#add_node_id').hide();
         $.ajax({url: node_list_url, headers: {'X-PARTIAL-XHR': '1'}, cache: false})
             .done(function(json) {
                     nodes = json.nodes;
                     $('#node_filter_box_loading').hide();
                     $('#node_filter_box').show();
                     $node_filter.focus();
                     if($node_filter.hasClass('init')){
                         $node_filter.val('');
                         $node_filter.removeClass('init');
+                    }
                 })
             .fail(function() {
                     console.log('fileBrowserListeners initFilter failed to load');
                 })
+        ;
+    }
     var updateFilter = function(e) {
         return function(){
             // Reset timeout
             filterTimeout = null;
             var query = e.currentTarget.value.toLowerCase();
             var match = [];
             var matches = 0;
             var matches_max = 20;
             if (query != ""){
                 for(var i=0;i<nodes.length;i++){
                     var pos = nodes[i].name.toLowerCase().indexOf(query);
                     if(query && pos != -1){
                         matches++
                         //show only certain amount to not kill browser
                         if (matches > matches_max){
                             break;
+                        }
                         var n = nodes[i].name;
                         var t = nodes[i].type;
                         var n_hl = n.substring(0,pos)
                             + "<b>{0}</b>".format(n.substring(pos,pos+query.length))
                             + n.substring(pos+query.length);
                         var new_url = url_base.replace('__FPATH__',n);
                         match.push('<tr><td><a class="browser-{0}" href="{1}">{2}</a></td><td colspan="5"></td></tr>'.format(t,new_url,n_hl));
+                    }
                     if(match.length >= matches_max){
                         match.push('<tr><td>{0}</td><td colspan="5"></td></tr>'.format(_TM['Search truncated']));
                         break;
+                    }
+                }
+            }
             if(query != ""){
                 $('#tbody').hide();
                 $('#tbody_filtered').show();
                 if (match.length==0){
                   match.push('<tr><td>{0}</td><td colspan="5"></td></tr>'.format(_TM['No matching files']));
+                }
                 $('#tbody_filtered').html(match.join(""));
+            }
             else{
                 $('#tbody').show();
                 $('#tbody_filtered').hide();
+            }
+        }
     };
     $('#filter_activate').click(function(){
             initFilter();
         });
     $node_filter.click(function(){
             if($node_filter.hasClass('init')){
                 $node_filter.val('');
                 $node_filter.removeClass('init');
+            }
         });
     $node_filter.keyup(function(e){
             clearTimeout(filterTimeout);
             filterTimeout = setTimeout(updateFilter(e),600);
         });
 };
 var initCodeMirror = function(textarea_id, baseUrl, resetUrl){
     var myCodeMirror = CodeMirror.fromTextArea($('#' + textarea_id)[0], {
             mode: "null",
             lineNumbers: true,
             indentUnit: 4,
             autofocus: true
         });
     CodeMirror.modeURL = baseUrl + "/codemirror/mode/%N/%N.js";
     $('#reset').click(function(e){
             window.location=resetUrl;
         });
     $('#file_enable').click(function(){
             $('#upload_file_container').hide();
             $('#filename_container').show();
             $('#body').show();
         });
     $('#upload_file_enable').click(function(){
             $('#upload_file_container').show();
             $('#filename_container').hide();
             $('#body').hide();
         });
     return myCodeMirror
 };
 var setCodeMirrorMode = function(codeMirrorInstance, mode) {
     CodeMirror.autoLoadMode(codeMirrorInstance, mode);
+}
 var _getIdentNode = function(n){
     //iterate thrugh nodes until matching interesting node
     if (typeof n == 'undefined'){
         return -1
+    }
     if(typeof n.id != "undefined" && n.id.match('L[0-9]+')){
         return n
+    }
     else{
         return _getIdentNode(n.parentNode);
+    }
 };
 /* generate links for multi line selects that can be shown by files.html page_highlights.
  * This is a mouseup handler for hlcode from CodeHtmlFormatter and pygmentize */
 var getSelectionLink = function(e) {
     //get selection from start/to nodes
     if (typeof window.getSelection != "undefined") {
         var s = window.getSelection();
         var from = _getIdentNode(s.anchorNode);
         var till = _getIdentNode(s.focusNode);
         var f_int = parseInt(from.id.replace('L',''));
         var t_int = parseInt(till.id.replace('L',''));
         var yoffset = 35;
         var ranges = [parseInt(from.id.replace('L','')), parseInt(till.id.replace('L',''))];
         if (ranges[0] > ranges[1]){
             //highlight from bottom
             yoffset = -yoffset;
             ranges = [ranges[1], ranges[0]];
+        }
         var $hl_div = $('div#linktt');
         // if we select more than 2 lines
         if (ranges[0] != ranges[1]){
             if ($hl_div.length) {
                 $hl_div.html('');
             } else {
                 $hl_div = $('<div id="linktt" class="hl-tip-box">');
                 $('body').prepend($hl_div);
+            }
             $hl_div.append($('<a>').html(_TM['Selection Link']).prop('href', location.href.substring(0, location.href.indexOf('#')) + '#L' + ranges[0] + '-'+ranges[1]));
             var xy = $(till).offset();
             $hl_div.css('top', (xy.top + yoffset) + 'px').css('left', xy.left + 'px');
             $hl_div.show();
+        }
         else{
             $hl_div.hide();
+        }
+    }
 };
 /**
  * Autocomplete functionality
  */
 // Custom search function for the DataSource of users
 var autocompleteMatchUsers = function (sQuery, myUsers) {
     // Case insensitive matching
     var query = sQuery.toLowerCase();
     var i = 0;
     var l = myUsers.length;
     var matches = [];
     // Match against each name of each contact
     for (; i < l; i++) {
         var contact = myUsers[i];
         if (((contact.fname+"").toLowerCase().indexOf(query) > -1) ||
              ((contact.lname+"").toLowerCase().indexOf(query) > -1) ||
              ((contact.nname) && ((contact.nname).toLowerCase().indexOf(query) > -1))) {
             matches[matches.length] = contact;
+        }
+    }
     return matches;
 };
 // Custom search function for the DataSource of userGroups
 var autocompleteMatchGroups = function (sQuery, myGroups) {
     // Case insensitive matching
     var query = sQuery.toLowerCase();
     var i = 0;
     var l = myGroups.length;
     var matches = [];
     // Match against each name of each group
     for (; i < l; i++) {
         var matched_group = myGroups[i];
         if (matched_group.grname.toLowerCase().indexOf(query) > -1) {
             matches[matches.length] = matched_group;
+        }
+    }
     return matches;
 };
 // Highlight the snippet if it is found in the full text, while escaping any existing markup.
 // Snippet must be lowercased already.
 var autocompleteHighlightMatch = function (full, snippet) {
     var matchindex = full.toLowerCase().indexOf(snippet);
     if (matchindex <0)
         return full.html_escape();
     return full.substring(0, matchindex).html_escape()
         + '<span class="select2-match">'
         + full.substr(matchindex, snippet.length).html_escape()
         + '</span>'
         + full.substring(matchindex + snippet.length).html_escape();
 };
 // Return html snippet for showing the provided gravatar url
 var gravatar = function(gravatar_lnk, size, cssclass) {
     if (!gravatar_lnk) {
         return '';
+    }
     if (gravatar_lnk == 'default') {
         return '<i class="icon-user {1}" style="font-size: {0}px;"></i>'.format(size, cssclass);
+    }
     return ('<i class="icon-gravatar {2}"' +
             ' style="font-size: {0}px;background-image: url(\'{1}\'); background-size: {0}px"' +
             '></i>').format(size, gravatar_lnk, cssclass);
+}
 var autocompleteGravatar = function(res, gravatar_lnk, size, group) {
     var elem;
     if (group !== undefined) {
         elem = '<i class="perm-gravatar-ac icon-users"></i>';
     } else {
         elem = gravatar(gravatar_lnk, size, "perm-gravatar-ac");
+    }
     return '<div class="ac-container-wrap">{0}{1}</div>'.format(elem, res);
+}
 // Custom formatter to highlight the matching letters and do HTML escaping
 var autocompleteFormatter = function (oResultData, sQuery, sResultMatch) {
     var query;
     if (sQuery && sQuery.toLowerCase) // YAHOO AutoComplete
         query = sQuery.toLowerCase();
     else if (sResultMatch && sResultMatch.term) // select2 - parameter names doesn't match
         query = sResultMatch.term.toLowerCase();
     // group
     if (oResultData.type == "group") {
         return autocompleteGravatar(
             "{0}: {1}".format(
                 _TM['Group'],
                 autocompleteHighlightMatch(oResultData.grname, query)),
             null, null, true);
+    }
     // users
     if (oResultData.nname) {
         var displayname = autocompleteHighlightMatch(oResultData.nname, query);
         if (oResultData.fname && oResultData.lname) {
             displayname = "{0} {1} ({2})".format(
                 autocompleteHighlightMatch(oResultData.fname, query),
                 autocompleteHighlightMatch(oResultData.lname, query),
                 displayname);
+        }
         return autocompleteGravatar(displayname, oResultData.gravatar_lnk, oResultData.gravatar_size);
+    }
     return '';
 };
 var SimpleUserAutoComplete = function ($inputElement) {
     $inputElement.select2({
         formatInputTooShort: $inputElement.attr('placeholder'),
         initSelection : function (element, callback) {
             $.ajax({
                 url: pyroutes.url('users_and_groups_data'),
                 dataType: 'json',
                 data: {
                     key: element.val()
                 },
                 success: function(data){
                   callback(data.results[0]);
+                }
             });
         },
         minimumInputLength: 1,
         ajax: {
             url: pyroutes.url('users_and_groups_data'),
             dataType: 'json',
             data: function(term, page){
               return {
                 query: term
               };
             },
             results: function (data, page){
               return data;
             },
             cache: true
         },
         formatSelection: autocompleteFormatter,
         formatResult: autocompleteFormatter,
         id: function(item) { return item.nname; },
     });
+}
 var MembersAutoComplete = function ($inputElement, $typeElement) {
     $inputElement.select2({
         placeholder: $inputElement.attr('placeholder'),
         minimumInputLength: 1,
         ajax: {
             url: pyroutes.url('users_and_groups_data'),
             dataType: 'json',
             data: function(term, page){
               return {
                 query: term,
                 types: 'users,groups'
               };
             },
             results: function (data, page){
               return data;
             },
             cache: true
         },
         formatSelection: autocompleteFormatter,
         formatResult: autocompleteFormatter,
         id: function(item) { return item.type == 'user' ? item.nname : item.grname },
     }).on("select2-selecting", function(e) {
         // e.choice.id is automatically used as selection value - just set the type of the selection
         $typeElement.val(e.choice.type);
     });
+}
 var MentionsAutoComplete = function ($inputElement) {
   $inputElement.atwho({
     at: "@",
     callbacks: {
       remoteFilter: function(query, callback) {
         $.getJSON(
           pyroutes.url('users_and_groups_data'),
+          {
             query: query,
             types: 'users'
           },
           function(data) {
             callback(data.results)
+          }
         );
       },
       sorter: function(query, items, searchKey) {
         return items;
+      }
     },
     displayTpl: function(item) {
         return "<li>" +
             autocompleteGravatar(
                 "{0} {1} ({2})".format(item.fname, item.lname, item.nname).html_escape(),
                 '${gravatar_lnk}', 16) +
             "</li>";
     },
     insertTpl: "${atwho-at}${nname}"
   });
 };
 // Set caret at the given position in the input element
 function _setCaretPosition($inputElement, caretPos) {
     $inputElement.each(function(){
         if(this.createTextRange) { // IE
             var range = this.createTextRange();
             range.move('character', caretPos);
             range.select();
+        }
         else if(this.selectionStart) { // other recent browsers
             this.focus();
             this.setSelectionRange(caretPos, caretPos);
+        }
         else // last resort - very old browser
             this.focus();
     });
+}
 var addReviewMember = function(id,fname,lname,nname,gravatar_link,gravatar_size){
     var displayname = nname;
     if ((fname != "") && (lname != "")) {
         displayname = "{0} {1} ({2})".format(fname, lname, nname);
+    }
     var gravatarelm = gravatar(gravatar_link, gravatar_size, "");
     // WARNING: the HTML below is duplicate with
     // kallithea/templates/pullrequests/pullrequest_show.html
     // If you change something here it should be reflected in the template too.
     var element = (
         '     <li id="reviewer_{2}">\n'+
         '       <span class="reviewers_member">\n'+
         '         <input type="hidden" value="{2}" name="review_members" />\n'+
         '         <span class="reviewer_status" data-toggle="tooltip" title="not_reviewed">\n'+
         '             <i class="icon-circle changeset-status-not_reviewed"></i>\n'+
         '         </span>\n'+
         (gravatarelm ?
         '         {0}\n' :
         '')+
         '         <span>{1}</span>\n'+
         '         <a href="#" class="reviewer_member_remove" onclick="removeReviewMember({2})">\n'+
         '             <i class="icon-minus-circled"></i>\n'+
         '         </a> (add not saved)\n'+
         '       </span>\n'+
         '     </li>\n'
         ).format(gravatarelm, displayname.html_escape(), id);
     // check if we don't have this ID already in
     var ids = [];
     $('#review_members').find('li').each(function() {
             ids.push(this.id);
         });
     if(ids.indexOf('reviewer_'+id) == -1){
         //only add if it's not there
         $('#review_members').append(element);
+    }
+}
 var removeReviewMember = function(reviewer_id, repo_name, pull_request_id){
     var $li = $('#reviewer_{0}'.format(reviewer_id));
     $li.find('div div').css("text-decoration", "line-through");
     $li.find('input').prop('name', 'review_members_removed');
     $li.find('.reviewer_member_remove').replaceWith('&nbsp;(remove not saved)');
+}
 /* activate auto completion of users as PR reviewers */
 var PullRequestAutoComplete = function ($inputElement) {
     $inputElement.select2(
+    {
         placeholder: $inputElement.attr('placeholder'),
         minimumInputLength: 1,
         ajax: {
             url: pyroutes.url('users_and_groups_data'),
             dataType: 'json',
             data: function(term, page){
               return {
                 query: term
               };
             },
             results: function (data, page){
               return data;
             },
             cache: true
         },
         formatSelection: autocompleteFormatter,
         formatResult: autocompleteFormatter,
     }).on("select2-selecting", function(e) {
         addReviewMember(e.choice.id, e.choice.fname, e.choice.lname, e.choice.nname,
                         e.choice.gravatar_lnk, e.choice.gravatar_size);
         $inputElement.select2("close");
         e.preventDefault();
     });
+}
 function addPermAction(perm_type) {
     var template =
         '<td><input type="radio" value="{1}.none" name="perm_new_member_{0}" id="perm_new_member_{0}"></td>' +
         '<td><input type="radio" value="{1}.read" checked="checked" name="perm_new_member_{0}" id="perm_new_member_{0}"></td>' +
         '<td><input type="radio" value="{1}.write" name="perm_new_member_{0}" id="perm_new_member_{0}"></td>' +
         '<td><input type="radio" value="{1}.admin" name="perm_new_member_{0}" id="perm_new_member_{0}"></td>' +
         '<td>' +
                 '<input class="form-control" id="perm_new_member_name_{0}" name="perm_new_member_name_{0}" value="" type="text" placeholder="{2}">' +
                 '<input id="perm_new_member_type_{0}" name="perm_new_member_type_{0}" value="" type="hidden">' +
         '</td>' +
         '<td></td>';
     var $last_node = $('.last_new_member').last(); // empty tr between last and add
     var next_id = $('.new_members').length;
     $last_node.before($('<tr class="new_members">').append(template.format(next_id, perm_type, _TM['Type name of user or member to grant permission'])));
     MembersAutoComplete($("#perm_new_member_name_"+next_id), $("#perm_new_member_type_"+next_id));
+}
 function ajaxActionRevokePermission(url, obj_id, obj_type, field_id, extra_data) {
     var success = function (o) {
             $('#' + field_id).remove();
         };
     var failure = function (o) {
             alert(_TM['Failed to revoke permission'] + ": " + o.status);
         };
     var query_params = {};
     // put extra data into POST
     if (extra_data !== undefined && (typeof extra_data === 'object')){
         for(var k in extra_data){
             query_params[k] = extra_data[k];
+        }
+    }
     if (obj_type=='user'){
         query_params['user_id'] = obj_id;
         query_params['obj_type'] = 'user';
+    }
     else if (obj_type=='user_group'){
         query_params['user_group_id'] = obj_id;
         query_params['obj_type'] = 'user_group';
+    }
     ajaxPOST(url, query_params, success, failure);
 };
 /* Multi selectors */
 var MultiSelectWidget = function(selected_id, available_id, form_id){
     var $availableselect = $('#' + available_id);
     var $selectedselect = $('#' + selected_id);
     //fill available only with those not in selected
     var $selectedoptions = $selectedselect.children('option');
     $availableselect.children('option').filter(function(i, e){
             for(var j = 0, node; node = $selectedoptions[j]; j++){
                 if(node.value == e.value){
                     return true;
+                }
+            }
             return false;
         }).remove();
     $('#add_element').click(function(e){
             $selectedselect.append($availableselect.children('option:selected'));
         });
     $('#remove_element').click(function(e){
             $availableselect.append($selectedselect.children('option:selected'));
         });
     $('#'+form_id).submit(function(){
             $selectedselect.children('option').each(function(i, e){
                 e.selected = 'selected';
             });
         });
+}
 /**
  Branch Sorting callback for select2, modifying the filtered result so prefix
  matches come before matches in the line.
  **/
 var branchSort = function(results, container, query) {
     if (query.term) {
         return results.sort(function (a, b) {
             // Put closed branches after open ones (a bit of a hack ...)
             var aClosed = a.text.indexOf("(closed)") > -1,
                 bClosed = b.text.indexOf("(closed)") > -1;
             if (aClosed && !bClosed) {
                 return 1;
+            }
             if (bClosed && !aClosed) {
                 return -1;
+            }
             // Put early (especially prefix) matches before later matches
             var aPos = a.text.toLowerCase().indexOf(query.term.toLowerCase()),
                 bPos = b.text.toLowerCase().indexOf(query.term.toLowerCase());
             if (aPos < bPos) {
                 return -1;
+            }
             if (bPos < aPos) {
                 return 1;
+            }
             // Default sorting
             if (a.text > b.text) {
                 return 1;
+            }
             if (a.text < b.text) {
                 return -1;
+            }
             return 0;
         });
+    }
     return results;
 };
 var prefixFirstSort = function(results, container, query) {
     if (query.term) {
         return results.sort(function (a, b) {
             // if parent node, no sorting
             if (a.children != undefined || b.children != undefined) {
                 return 0;
+            }
             // Put prefix matches before matches in the line
             var aPos = a.text.toLowerCase().indexOf(query.term.toLowerCase()),
                 bPos = b.text.toLowerCase().indexOf(query.term.toLowerCase());
             if (aPos === 0 && bPos !== 0) {
                 return -1;
+            }
             if (bPos === 0 && aPos !== 0) {
                 return 1;
+            }
             // Default sorting
             if (a.text > b.text) {
                 return 1;
+            }
             if (a.text < b.text) {
                 return -1;
+            }
             return 0;
         });
+    }
     return results;
 };
 /* Helper for jQuery DataTables */
 var updateRowCountCallback = function updateRowCountCallback($elem, onlyDisplayed) {
     return function drawCallback() {
         var info = this.api().page.info(),
             count = onlyDisplayed === true ? info.recordsDisplay : info.recordsTotal;
         $elem.html(count);
+    }
 };
 /**
  * activate changeset parent/child navigation links
  */
 var activate_parent_child_links = function(){
     $('.parent-child-link').on('click', function(e){
         var $this = $(this);
         //fetch via ajax what is going to be the next link, if we have
         //>1 links show them to user to choose
         if(!$this.hasClass('disabled')){
             $.ajax({
                 url: $this.data('ajax-url'),
                 success: function(data) {
                     var repo_name = $this.data('reponame');
                     if(data.results.length === 0){
                         $this.addClass('disabled');
                         $this.text(_TM['No revisions']);
+                    }
                     if(data.results.length === 1){
                         var commit = data.results[0];
                         window.location = pyroutes.url('changeset_home', {'repo_name': repo_name, 'revision': commit.raw_id});
+                    }
                     else if(data.results.length > 1){
                         $this.addClass('disabled');
                         $this.addClass('double');
                         var template =
                             ($this.data('linktype') == 'parent' ? '<i class="icon-left-open"/> ' : '') +
                             '<a title="__title__" href="__url__">__rev__</a>' +
                             ($this.data('linktype') == 'child' ? ' <i class="icon-right-open"/>' : '');
                         var _html = [];
                         for(var i = 0; i < data.results.length; i++){
                             _html.push(template
                                 .replace('__rev__', 'r{0}:{1}'.format(data.results[i].revision, data.results[i].raw_id.substr(0, 6)))
                                 .replace('__title__', data.results[i].message)
+                                .replace('__title__', data.results[i].message.html_escape())
                                 .replace('__url__', pyroutes.url('changeset_home', {
                                     'repo_name': repo_name,
                                     'revision': data.results[i].raw_id}))
                                 );
+                        }
                         $this.html(_html.join('<br/>'));
+                    }
+                }
             });
         e.preventDefault();
+        }
     });
+}

0 comments (0 inline, 0 general)