kallithea Files · kallithea/templates/admin/settings/settings_system

Files @ 603f5f7c323d

Branch filter:

Location: kallithea/kallithea/templates/admin/settings/settings_system_update.html

603f5f7c323d 739 B text/html Show Annotation Show as Raw Download as Raw

Thomas De Schampheleire

pullrequests: prevent XSS in 'Potential Reviewers' list when first and last names cannot be trusted

If a user first or last name contains javascript, these fields need proper
escaping to avoid XSS attacks.

An example scenario is:
- the malicious user creates a repository. This will cause this user to be
listed automatically under 'Potential Reviewers' in pull requests.
- another user creates a pull request on that repository and selects the
suggested reviewer from the 'Potential Reviewers' list.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).

Technical note: the other caller of addReviewMember in base.js itself does
_not_ need to be adapted to escape the input values, because the input
values (oData) are _already_ escaped (by the YUI framework).

## -*- coding: utf-8 -*-
## upgrade block rendered afte on-click check

<div class="alert ${'alert-warning' if c.should_upgrade else 'alert-success'}">
<p style="padding: 2px 0px 5px 0px; margin: 0px">

%if c.should_upgrade:
    A <b>new version</b> is available:
    %if c.latest_data.get('title'):
        <b>${h.literal(c.latest_data['title'])}</b>
    %else:
        <b>${c.latest_ver}</b>
    %endif
%else:
    You already have the <b>latest</b> stable version.
%endif
</p>

% if c.should_upgrade and c.important_notices:
<div style="color: #5f5f5f; padding: 3px 0px 5px 0px;">Important notes for this release:</div>
    <ul>
    % for notice in c.important_notices:
        <li>- ${notice}</li>
    % endfor
    </ul>
% endif
</div>