Files @ a8d873e9cab0
Branch filter:

Location: kallithea/pytest.ini

a8d873e9cab0 328 B text/x-ini Show Annotation Show as Raw Download as Raw
Thomas De Schampheleire
compare: prevent XSS due to unescaped branch/tag/bookmark names

In the revision selection dropdown of the 'Compare' functionality, the
branch/tag/bookmark names were not correctly escaped.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks.
1
2
3
4
5
6
7
8
9
[pytest]
# only look for tests in kallithea/tests
python_files = kallithea/tests/**/test_*.py
addopts =
    # --verbose
    # show extra test summary info as specified by chars (f)ailed, (E)error, (s)skipped, (x)failed, (X)passed, (w)warnings.
    -rfEsxXw
    # Shorter scrollbacks; less stuff to scroll through
    --tb=short
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.