Files @ ddad3be4dc44
Branch filter:

Location: kallithea/docs/usage/customization.rst

ddad3be4dc44 2.5 KiB text/prs.fallenstein.rst Show Annotation Show as Raw Download as Raw
Thomas De Schampheleire
changeset: fix XSS vulnerability in parent-child navigation

The 'Parent Rev.' - 'Child Rev.' links on changesets and in the file browser
normally immediately jump to the correct revision upon click. But, if there
are multiple candidates, e.g. two children of a commit, then a list of
revisions is shown as hyperlinks instead.

These hyperlinks have a 'title' attribute containing the full commit message
of the corresponding commit. When this commit message contains characters
special to HTML, like ", >, etc. they were added literally to the HTML code.

This can lead to a cross-site scripting (XSS) vulnerability when an attacker
has write access to a repository. They could craft a special commit message
that would introduce HTML and/or JavaScript code when the commit is listed
in such 'parent-child' navigation links.

Escape the commit message before using it further.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
.. _customization:

=============
Customization
=============

There are several ways to customize Kallithea to your needs depending on what
you want to achieve.


HTML/JavaScript/CSS customization
---------------------------------

To customize the look-and-feel of the web interface (for example to add a
company banner or some JavaScript widget or to tweak the CSS style definitions)
you can enter HTML code (possibly with JavaScript and/or CSS) directly via the
*Admin > Settings > Global > HTML/JavaScript customization
block*.


Style sheet customization with Less
-----------------------------------

Kallithea uses `Bootstrap 3`_ and Less_ for its style definitions. If you want
to make some customizations, we recommend to do so by creating a ``theme.less``
file. When you create a file named ``theme.less`` in the Kallithea root
directory, you can use this file to override the default style. For example,
you can use this to override ``@kallithea-theme-main-color``,
``@kallithea-logo-url`` or other `Bootstrap variables`_.

After creating the ``theme.less`` file, you need to regenerate the CSS files, by
running::

    kallithea-cli front-end-build --no-install-deps

.. _bootstrap 3: https://getbootstrap.com/docs/3.3/
.. _bootstrap variables: https://getbootstrap.com/docs/3.3/customize/#less-variables
.. _less: http://lesscss.org/


Behavioral customization: rcextensions
--------------------------------------

Some behavioral customization can be done in Python using ``rcextensions``, a
custom Python package that can extend Kallithea functionality.

With ``rcextensions`` it's possible to add additional mappings for Whoosh
indexing and statistics, to add additional code into the push/pull/create/delete
repository hooks (for example to send signals to build bots such as Jenkins) and
even to monkey-patch certain parts of the Kallithea source code (for example
overwrite an entire function, change a global variable, ...).

To generate a skeleton extensions package, run::

    kallithea-cli extensions-create -c my.ini

This will create an ``rcextensions`` package next to the specified ``ini`` file.
See the ``__init__.py`` file inside the generated ``rcextensions`` package
for more details.


Behavioral customization: code changes
--------------------------------------

As Kallithea is open-source software, you can make any changes you like directly
in the source code.

We encourage you to send generic improvements back to the
community so that Kallithea can become better. See :ref:`contributing` for more
details.
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.