Files @ 391fde4cbf12
Branch filter:

Location: kallithea/MANIFEST.in

391fde4cbf12 1.1 KiB text/plain Show Annotation Show as Raw Download as Raw
Mads Kiilerich
base: escape branch/tag/bookmark names in 'Switch To' menu to prevent XSS

On repository pages, the 'Switch To' did not escape branches correctly.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks with
.html_escape() .
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
include           .coveragerc
include           Apache-License-2.0.txt
include           CONTRIBUTORS
include           COPYING
include           Jenkinsfile
include           LICENSE-MERGELY.html
include           LICENSE.md
include           MIT-Permissive-License.txt
include           README.rst
include           dev_requirements.txt
include           development.ini
include           pytest.ini
include           requirements.txt
include           tox.ini
recursive-include docs *
recursive-include init.d *
recursive-include kallithea/alembic *
include           kallithea/bin/ldap_sync.conf
include           kallithea/lib/paster_commands/template.ini.mako
recursive-include kallithea/front-end *
recursive-include kallithea/i18n *
recursive-include kallithea/public *
recursive-include kallithea/templates *
recursive-include kallithea/tests/fixtures *
recursive-include kallithea/tests/scripts *
include           kallithea/tests/models/test_dump_html_mails.ref.html
include           kallithea/tests/performance/test_vcs.py
include           kallithea/tests/vcs/aconfig
recursive-include scripts *
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.