Files @ c9cfaeb1cdfe
Branch filter:

Location: kallithea/CONTRIBUTORS

c9cfaeb1cdfe 3.2 KiB text/plain Show Annotation Show as Raw Download as Raw
Mads Kiilerich
tooltips: fix unsafe insertion of userdata into the DOM as html

This fixes js injection in the admin journal ... and probably also in other places.

Tooltips are used both with hardcoded strings (which is safe and simple) and
with user provided strings wrapped in html formatting (which requires careful
escaping before being put into the DOM as html). The templating will
automatically take care of one level of escaping, but here it requires two
levels to do it correctly ... and that was not always done correctly.

Instead, by default, just insert it into the DOM as text, not as html.

The few places where we know the tooltip contains safe html are handled
specially - the element is given the safe-html-title class. That is the case in
file annotation and in display of tip revision in repo lists.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
List of contributors to Kallithea project:
    Marcin Kuźmiński <marcin@python-works.com>
    Lukasz Balcerzak <lukaszbalcerzak@gmail.com>
    Jason Harris <jason@jasonfharris.com>
    Thayne Harbaugh  <thayne@fusionio.com>
    cejones <>
    Thomas Waldmann <tw-public@gmx.de>
    Lorenzo M. Catucci <lorenzo@sancho.ccd.uniroma2.it>
    Dmitri Kuznetsov <>
    Jared Bunting <jared.bunting@peachjean.com>
    Steve Romanow <slestak989@gmail.com>
    Augosto Hermann <augusto.herrmann@planejamento.gov.br>    
    Ankit Solanki <ankit.solanki@gmail.com>    
    Liad Shani <liadff@gmail.com>
    Les Peabody <lpeabody@gmail.com>
    Jonas Oberschweiber <jonas.oberschweiber@d-velop.de>
    Matt Zuba <matt.zuba@goodwillaz.org>
    Aras Pranckevicius <aras@unity3d.com>
    Tony Bussieres <t.bussieres@gmail.com>
    Erwin Kroon <e.kroon@smartmetersolutions.nl>
    nansenat16 <nansenat16@null.tw>
    Vincent Duvert <vincent@duvert.net>
    Takumi IINO <trot.thunder@gmail.com>
    Indra Talip <indra.talip@gmail.com>
    James Rhodes <jrhodes@redpointsoftware.com.au>
    Dominik Ruf <dominikruf@gmail.com>
    xpol <xpolife@gmail.com>
    Vincent Caron <vcaron@bearstech.com>
    Zachary Auclair <zach101@gmail.com>
    Stefan Engel <mail@engel-stefan.de>
    Andrew Shadura <andrew@shadura.me>
    Raoul Thill <raoul.thill@gmail.com>
    Philip Jameson <philip.j@hostdime.com>
    Mads Kiilerich <madski@unity3d.com>
    Dan Sheridan <djs@adelard.com>
    Dennis Brakhane <brakhane@googlemail.com>
    Simon Lopez <simon.lopez@slopez.org>
    Jonathan Sternberg <jonathansternberg@gmail.com>
    Grzegorz Rożniecki <xaerxess@gmail.com>
    Andrew Kesterson <andrew@aklabs.net>
    David A. Sjøen <david.sjoen@westcon.no>
    Jelmer Vernooij <jelmer@samba.org>
    larikale
    SteveCohen
    RhodeCode GmbH
    Sebastian Kreutzberger <sebastian@rhodecode.com>
    thomas <thomas@rhodecode.com>
    Bradley M. Kuhn <bkuhn@sfconservancy.org>
    Sean Farley <sean.michael.farley@gmail.com>
    Martin Vium <martinv@unity3d.com>
    Daniel Anderson <daniel@dattrix.com>
    Travis Burtrum <android@moparisthebest.com>
    Calinou <calinou@opmbx.org>
    Christian Oyarzun <oyarzun@gmail.com>
    Denis Blanchette <dblanchette@coveo.com>
    duanhongyi <duanhongyi@doopai.com>
    Henrik Stuart <hg@hstuart.dk>
    Ingo von Borstel <kallithea@planetmaker.de>
    Jan Heylen <heyleke@gmail.com>
    Jim Hague <jim.hague@acm.org>
    Joseph Rivera <rivera.d.joseph@gmail.com>
    Kazunari Kobayashi <kobanari@nifty.com>
    Matt Fellows <kallithea@matt-fellows.me.uk>
    Max Roman <max@choloclos.se>
    Michael Pohl <michael@mipapo.de>
    Michael V. DePalatis <mike@depalatis.net>
    Michal Čihař <michal@cihar.com>
    Morten Skaaning <mortens@unity3d.com>
    Na'Tosha Bard <natosha@unity3d.com>
    Nick High <nick@silverchip.org>
    Niemand Jedermann <predatorix@web.de>
    Peter Vitt <petervitt@web.de>
    Sam Jaques <sam.jaques@me.com>
    Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
    Tuux <tuxa@galaxie.eu.org>
    Zoltan Gyarmati <mr.zoltan.gyarmati@gmail.com>
    Kevin Bullock <kbullock@ringworld.org>
    Marc Villetard <marc.villetard@gmail.com>
    Matthias Zilk <matthias.zilk@gmail.com>
    Tim Freund <tim@freunds.net>
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.