# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 2020-11-11 16:45:42
# Node ID df930758dcf7da1303aa4ca3bccbaecf762c81b9
# Parent  cd8fa11c5c89278a103b795db50e740594038ec8

repos: extra HTML escaping of repo and repo group names shown in DataTables

These names will already have been "slugged" and can thus not contain anything
that can be used for any attack. But let's be explicitly safe and escape them
anyway.

raw_name without escaping would cause XSS *if* it was possible to create unsafe
repo names.

just_name must be escaped in order to make search work correctly - for example
if searching for '<' ... *if* it was possible for names to contain that.

diff --git a/kallithea/controllers/admin/repo_groups.py b/kallithea/controllers/admin/repo_groups.py
--- a/kallithea/controllers/admin/repo_groups.py
+++ b/kallithea/controllers/admin/repo_groups.py
@@ -117,7 +117,7 @@ class RepoGroupsController(BaseControlle
             children_groups = [g.name for g in repo_gr.parents] + [repo_gr.name]
             repo_count = repo_gr.repositories.count()
             repo_groups_data.append({
-                "raw_name": repo_gr.group_name,
+                "raw_name": h.escape(repo_gr.group_name),
                 "group_name": repo_group_name(repo_gr.group_name, children_groups),
                 "desc": h.escape(repo_gr.group_description),
                 "repos": repo_count,
diff --git a/kallithea/model/repo.py b/kallithea/model/repo.py
--- a/kallithea/model/repo.py
+++ b/kallithea/model/repo.py
@@ -168,8 +168,8 @@ class RepoModel(object):
 
         for gr in repo_groups_list or []:
             repos_data.append(dict(
-                raw_name='\0' + gr.name, # sort before repositories
-                just_name=gr.name,
+                raw_name='\0' + h.html_escape(gr.name), # sort before repositories
+                just_name=h.html_escape(gr.name),
                 name=_render('group_name_html', group_name=gr.group_name, name=gr.name),
                 desc=desc(gr.group_description)))
 
@@ -178,8 +178,8 @@ class RepoModel(object):
                 continue
             cs_cache = repo.changeset_cache
             row = {
-                "raw_name": repo.repo_name,
-                "just_name": repo.just_name,
+                "raw_name": h.html_escape(repo.repo_name),
+                "just_name": h.html_escape(repo.just_name),
                 "name": repo_lnk(repo.repo_name, repo.repo_type,
                                  repo.repo_state, repo.private, repo.fork),
                 "following": following(