Files @ b9b719fb4774
Branch filter:

Location: kallithea/docs/usage/customization.rst

b9b719fb4774 2.5 KiB text/prs.fallenstein.rst Show Annotation Show as Raw Download as Raw
Thomas De Schampheleire
search: fix XSS vulnerability in search results

The search feature did not correctly escape all arguments when displaying
search matches and linking to the corresponding files.

An attacker that can control the contents of a repository could thus cause
a cross-site scripting (XSS) vulnerability.

Fix the problem by removing the overall h.literal call that is only needed
for the HTML entity » and splitting the link instead.

We take the opportunity to improving the destination of the part before
» which is the path to the repository. Instead of pointing to the
search result, point to the repository itself.
The part after » remains linked to the file containing the search
match.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
.. _customization:

=============
Customization
=============

There are several ways to customize Kallithea to your needs depending on what
you want to achieve.


HTML/JavaScript/CSS customization
---------------------------------

To customize the look-and-feel of the web interface (for example to add a
company banner or some JavaScript widget or to tweak the CSS style definitions)
you can enter HTML code (possibly with JavaScript and/or CSS) directly via the
*Admin > Settings > Global > HTML/JavaScript customization
block*.


Style sheet customization with Less
-----------------------------------

Kallithea uses `Bootstrap 3`_ and Less_ for its style definitions. If you want
to make some customizations, we recommend to do so by creating a ``theme.less``
file. When you create a file named ``theme.less`` in the Kallithea root
directory, you can use this file to override the default style. For example,
you can use this to override ``@kallithea-theme-main-color``,
``@kallithea-logo-url`` or other `Bootstrap variables`_.

After creating the ``theme.less`` file, you need to regenerate the CSS files, by
running::

    kallithea-cli front-end-build --no-install-deps

.. _bootstrap 3: https://getbootstrap.com/docs/3.3/
.. _bootstrap variables: https://getbootstrap.com/docs/3.3/customize/#less-variables
.. _less: http://lesscss.org/


Behavioral customization: rcextensions
--------------------------------------

Some behavioral customization can be done in Python using ``rcextensions``, a
custom Python package that can extend Kallithea functionality.

With ``rcextensions`` it's possible to add additional mappings for Whoosh
indexing and statistics, to add additional code into the push/pull/create/delete
repository hooks (for example to send signals to build bots such as Jenkins) and
even to monkey-patch certain parts of the Kallithea source code (for example
overwrite an entire function, change a global variable, ...).

To generate a skeleton extensions package, run::

    kallithea-cli extensions-create -c my.ini

This will create an ``rcextensions`` package next to the specified ``ini`` file.
See the ``__init__.py`` file inside the generated ``rcextensions`` package
for more details.


Behavioral customization: code changes
--------------------------------------

As Kallithea is open-source software, you can make any changes you like directly
in the source code.

We encourage you to send generic improvements back to the
community so that Kallithea can become better. See :ref:`contributing` for more
details.
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.