Files
@ c9cfaeb1cdfe
Branch filter:
Location: kallithea/.travis.yml - annotation
c9cfaeb1cdfe
834 B
application/yaml
tooltips: fix unsafe insertion of userdata into the DOM as html
This fixes js injection in the admin journal ... and probably also in other places.
Tooltips are used both with hardcoded strings (which is safe and simple) and
with user provided strings wrapped in html formatting (which requires careful
escaping before being put into the DOM as html). The templating will
automatically take care of one level of escaping, but here it requires two
levels to do it correctly ... and that was not always done correctly.
Instead, by default, just insert it into the DOM as text, not as html.
The few places where we know the tooltip contains safe html are handled
specially - the element is given the safe-html-title class. That is the case in
file annotation and in display of tip revision in repo lists.
This fixes js injection in the admin journal ... and probably also in other places.
Tooltips are used both with hardcoded strings (which is safe and simple) and
with user provided strings wrapped in html formatting (which requires careful
escaping before being put into the DOM as html). The templating will
automatically take care of one level of escaping, but here it requires two
levels to do it correctly ... and that was not always done correctly.
Instead, by default, just insert it into the DOM as text, not as html.
The few places where we know the tooltip contains safe html are handled
specially - the element is given the safe-html-title class. That is the case in
file annotation and in display of tip revision in repo lists.
6ccf86ebfd4e 6ccf86ebfd4e 6ccf86ebfd4e 6ccf86ebfd4e 6ccf86ebfd4e 6ccf86ebfd4e 703d3208424c 703d3208424c 703d3208424c 6ccf86ebfd4e 925c77b9d3f1 925c77b9d3f1 925c77b9d3f1 925c77b9d3f1 6ccf86ebfd4e 6ccf86ebfd4e 703d3208424c 703d3208424c 63d3d20cad95 63d3d20cad95 63d3d20cad95 64ee7cf4a76d 63d3d20cad95 63d3d20cad95 63d3d20cad95 6ccf86ebfd4e 6ccf86ebfd4e 6ccf86ebfd4e 6ccf86ebfd4e 63d3d20cad95 6ccf86ebfd4e 6ccf86ebfd4e 6ccf86ebfd4e 6ccf86ebfd4e 6ccf86ebfd4e 13c0ab8eb343 08af8038e1cc 6ccf86ebfd4e 6ccf86ebfd4e 6ccf86ebfd4e 69377d1d7604 | language: python
python:
- "2.6"
- "2.7"
env:
- TEST_DB=sqlite:////tmp/kallithea_test.sqlite
- TEST_DB=mysql://root@127.0.0.1/kallithea_test
- TEST_DB=postgresql://postgres@127.0.0.1/kallithea_test
services:
- mysql
- postgresql
# command to install dependencies
before_script:
- mysql -e 'create database kallithea_test;'
- psql -c 'create database kallithea_test;' -U postgres
- git --version
before_install:
- sudo apt-get remove git
- sudo add-apt-repository ppa:pdoes/ppa -y
- sudo apt-get update -y
- sudo apt-get install git -y
install:
- pip install mysql-python psycopg2 mock unittest2
- pip install . --use-mirrors
# command to run tests
script: nosetests
notifications:
email:
- ci@kallithea-scm.org
irc: "irc.freenode.org#kallithea"
branches:
only:
- master
|