Changeset - df930758dcf7
Parent rev.
Child rev.
[Not reviewed]
stable
0 2 0
Mads Kiilerich - 5 years ago 2020-11-11 16:45:42
mads@kiilerich.com
repos: extra HTML escaping of repo and repo group names shown in DataTables

These names will already have been "slugged" and can thus not contain anything
that can be used for any attack. But let's be explicitly safe and escape them
anyway.

raw_name without escaping would cause XSS *if* it was possible to create unsafe
repo names.

just_name must be escaped in order to make search work correctly - for example
if searching for '<' ... *if* it was possible for names to contain that.
2 files changed with 5 insertions and 5 deletions:
kallithea/controllers/admin/repo_groups.py
1
1
kallithea/model/repo.py
4
4
0 comments (0 inline, 0 general)
kallithea/controllers/admin/repo_groups.py
Show inline comments
 
@@ -117,7 +117,7 @@ class RepoGroupsController(BaseControlle
 
            children_groups = [g.name for g in repo_gr.parents] + [repo_gr.name]
 
            repo_count = repo_gr.repositories.count()
 
            repo_groups_data.append({
 
                "raw_name": repo_gr.group_name,
 
                "raw_name": h.escape(repo_gr.group_name),
 
                "group_name": repo_group_name(repo_gr.group_name, children_groups),
 
                "desc": h.escape(repo_gr.group_description),
 
                "repos": repo_count,
kallithea/model/repo.py
Show inline comments
 
@@ -168,8 +168,8 @@ class RepoModel(object):
 

			




	
	
	
		
 
        for gr in repo_groups_list or []:

			




	
	
	
		
 
            repos_data.append(dict(

			




	
	
	
		
 
                raw_name='\0' + gr.name, # sort before repositories

			




	
	
	
		
 
                just_name=gr.name,

			




	
	
	
		
 
                raw_name='\0' + h.html_escape(gr.name), # sort before repositories

			




	
	
	
		
 
                just_name=h.html_escape(gr.name),

			




	
	
	
		
 
                name=_render('group_name_html', group_name=gr.group_name, name=gr.name),

			




	
	
	
		
 
                desc=desc(gr.group_description)))

			




	
	
	
		
 

			




	
	
		
 
@@ -178,8 +178,8 @@ class RepoModel(object):

			




	
	
	
		
 
                continue

			




	
	
	
		
 
            cs_cache = repo.changeset_cache

			




	
	
	
		
 
            row = {

			




	
	
	
		
 
                "raw_name": repo.repo_name,

			




	
	
	
		
 
                "just_name": repo.just_name,

			




	
	
	
		
 
                "raw_name": h.html_escape(repo.repo_name),

			




	
	
	
		
 
                "just_name": h.html_escape(repo.just_name),

			




	
	
	
		
 
                "name": repo_lnk(repo.repo_name, repo.repo_type,

			




	
	
	
		
 
                                 repo.repo_state, repo.private, repo.fork),

			




	
	
	
		
 
                "following": following(

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.