Files @ 22da5f258118
Branch filter:

Location: kallithea/tox.ini

22da5f258118 238 B text/x-ini Show Annotation Show as Raw Download as Raw
Mads Kiilerich
pullrequests: prevent XSS in 'Potential Reviewers' list when first and last names cannot be trusted

The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.

That could cause XSS issues, already when loading a PR page.

To avoid that, make sure autocompleteHighlightMatch always escape user
information. That makes the user safe as long as a rogue user isn't selected ...
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
[tox]
minversion = 1.8
envlist = py{26,27}-pytest

[testenv]
setenv =
    PYTHONHASHSEED = 0
deps =
    -r{toxinidir}/dev_requirements.txt
    py26-pytest: unittest2
    python-ldap
    python-pam
commands =
    pytest: py.test {posargs}
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.