Files @ 9beef1d91c4c
Branch filter:

Location: kallithea/setup.cfg

9beef1d91c4c 726 B text/x-ini Show Annotation Show as Raw Download as Raw
Mads Kiilerich
pullrequests: prevent XSS when 'Potential Reviewers' are selected and first and last names cannot be trusted

The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.

That could cause XSS issues, already when adding rogue users as reviewers on a PR.

To avoid that, make sure select2 use the default escapeMarkup function. In
addReviewMember, use .html_escape when expanding the reviewer template.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
[egg_info]
tag_build =
tag_svn_revision = 0
tag_date = 0

[aliases]
test = pytest

[compile_catalog]
domain = kallithea
directory = kallithea/i18n
statistics = true

[extract_messages]
add_comments = TRANSLATORS:
output_file = kallithea/i18n/kallithea.pot
msgid-bugs-address = translations@kallithea-scm.org
copyright-holder = Various authors, licensing as GPLv3
no-wrap = true

[init_catalog]
domain = kallithea
input_file = kallithea/i18n/kallithea.pot
output_dir = kallithea/i18n

[update_catalog]
domain = kallithea
input_file = kallithea/i18n/kallithea.pot
output_dir = kallithea/i18n
previous = true

[build_sphinx]
source-dir = docs/
build-dir = docs/_build
all_files = 1

[upload_sphinx]
upload-dir = docs/_build/html
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.