Files
@ 9beef1d91c4c
Branch filter:
Location: kallithea/.coveragerc - annotation
9beef1d91c4c
1.1 KiB
text/plain
pullrequests: prevent XSS when 'Potential Reviewers' are selected and first and last names cannot be trusted
The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.
That could cause XSS issues, already when adding rogue users as reviewers on a PR.
To avoid that, make sure select2 use the default escapeMarkup function. In
addReviewMember, use .html_escape when expanding the reviewer template.
The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.
That could cause XSS issues, already when adding rogue users as reviewers on a PR.
To avoid that, make sure select2 use the default escapeMarkup function. In
addReviewMember, use .html_escape when expanding the reviewer template.
7790b34a0cef 7790b34a0cef 7790b34a0cef 7790b34a0cef 7790b34a0cef 7790b34a0cef ddee465a345a 7790b34a0cef 7790b34a0cef 7790b34a0cef 7790b34a0cef 7790b34a0cef 7790b34a0cef 0acb46763886 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 4b241f198cf2 0acb46763886 0acb46763886 0acb46763886 0acb46763886 | [run]
omit =
# the bin scripts are not part of the Kallithea web app
kallithea/bin/*
# we ship with no active extensions
kallithea/config/rcextensions/*
# dbmigrate is not a part of the Kallithea web app
kallithea/lib/dbmigrate/*
# the tests themselves should not be part of the coverage report
kallithea/tests/*
# the scm hooks are not run in the kallithea process
kallithea/config/post_receive_tmpl.py
kallithea/config/pre_receive_tmpl.py
# same omit lines should be present in sections 'run' and 'report'
[report]
omit =
# the bin scripts are not part of the Kallithea web app
kallithea/bin/*
# we ship with no active extensions
kallithea/config/rcextensions/*
# dbmigrate is not a part of the Kallithea web app
kallithea/lib/dbmigrate/*
# the tests themselves should not be part of the coverage report
kallithea/tests/*
# the scm hooks are not run in the kallithea process
kallithea/config/post_receive_tmpl.py
kallithea/config/pre_receive_tmpl.py
[paths]
source =
kallithea/
**/workspace/*/kallithea
|