kallithea Files · docs/index.rst

Files @ c9bd000a4567

Branch filter:

Location: kallithea/docs/index.rst

c9bd000a4567 1.2 KiB text/prs.fallenstein.rst Show Annotation Show as Raw Download as Raw

Mads Kiilerich

templates/summary: escape branch/tag/bookmark names in 'Download as zip' links to prevent XSS

On a repository summary page, in the 'Download' section where you can
download an archive of the repository at a given revision, the branch/tag
names were not correctly escaped.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).

.. _index:

#######################
Kallithea Documentation
#######################

**Readme**

.. toctree::
   :maxdepth: 1

   readme

**Installation**

.. toctree::
   :maxdepth: 1

   overview
   installation
   installation_win
   installation_win_old
   installation_iis
   setup
   installation_puppet

**Usage**

.. toctree::
   :maxdepth: 1

   usage/general
   usage/vcs_support
   usage/locking
   usage/statistics

**Administrator's guide**

.. toctree::
   :maxdepth: 1

   usage/email
   usage/performance
   usage/backup
   usage/debugging
   usage/troubleshooting

**Development**

.. toctree::
   :maxdepth: 1

   contributing
   changelog

**API**

.. toctree::
   :maxdepth: 1

   api/api
   api/models


Other topics
------------

* :ref:`genindex`
* :ref:`search`


.. _virtualenv: http://pypi.python.org/pypi/virtualenv
.. _python: http://www.python.org/
.. _django: http://www.djangoproject.com/
.. _mercurial: https://www.mercurial-scm.org/
.. _bitbucket: http://bitbucket.org/
.. _subversion: http://subversion.tigris.org/
.. _git: http://git-scm.com/
.. _celery: http://celeryproject.org/
.. _Sphinx: http://sphinx.pocoo.org/
.. _vcs: http://pypi.python.org/pypi/vcs