# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 2020-11-10 11:30:16
# Node ID cd8fa11c5c89278a103b795db50e740594038ec8
# Parent  c387989f868f2d7712de7c4de351969c502cd1fd

repogroups: fix HTML markup of descriptions

Repogroup descriptions were not urlified like repo descriptions are. That
caused incorrect rendering with posibility of XSS.

The problem was introduced in 0.4.0 with 6db3122e4d75.

Thanks to stypr of Flatt Security for reporting this vulnerability.

diff --git a/kallithea/model/repo.py b/kallithea/model/repo.py
--- a/kallithea/model/repo.py
+++ b/kallithea/model/repo.py
@@ -171,7 +171,7 @@ class RepoModel(object):
                 raw_name='\0' + gr.name, # sort before repositories
                 just_name=gr.name,
                 name=_render('group_name_html', group_name=gr.group_name, name=gr.name),
-                desc=gr.group_description))
+                desc=desc(gr.group_description)))
 
         for repo in repos_list:
             if not HasRepoPermissionLevel('read')(repo.repo_name, 'get_repos_as_dict check'):