Files @ a8d873e9cab0
Branch filter:

Location: kallithea/dev_requirements.txt

a8d873e9cab0 267 B text/plain Show Annotation Show as Raw Download as Raw
Thomas De Schampheleire
compare: prevent XSS due to unescaped branch/tag/bookmark names

In the revision selection dropdown of the 'Compare' functionality, the
branch/tag/bookmark names were not correctly escaped.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
Babel >= 0.9.6, < 2.7
pytest >= 3.3.0, < 3.8
pytest-runner < 4.3
pytest-sugar >= 0.7.0, < 0.10
pytest-benchmark < 3.2
pytest-localserver < 0.5
mock < 2.1
Sphinx < 1.8
WebTest < 2.1
WebOb >= 1.7, < 1.8 # turbogears2 2.3.12 requires WebOb<1.8.0, WebTest has WebOb>=1.2
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.