Files @ 391fde4cbf12
Branch filter:

Location: kallithea/dev_requirements.txt - annotation

391fde4cbf12 267 B text/plain Show Source Show as Raw Download as Raw
mads
base: escape branch/tag/bookmark names in 'Switch To' menu to prevent XSS

On repository pages, the 'Switch To' did not escape branches correctly.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks with
.html_escape() .
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
55fc0bcce916
55fc0bcce916
55fc0bcce916
55fc0bcce916
55fc0bcce916
55fc0bcce916
55fc0bcce916
55fc0bcce916
55fc0bcce916
55fc0bcce916

Babel >= 0.9.6, < 2.7
pytest >= 3.3.0, < 3.8
pytest-runner < 4.3
pytest-sugar >= 0.7.0, < 0.10
pytest-benchmark < 3.2
pytest-localserver < 0.5
mock < 2.1
Sphinx < 1.8
WebTest < 2.1
WebOb >= 1.7, < 1.8 # turbogears2 2.3.12 requires WebOb<1.8.0, WebTest has WebOb>=1.2
Server instance: clio-22459 This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3. – Support