Changeset - cd8fa11c5c89
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Mads Kiilerich (mads) - 5 years ago 2020-11-10 11:30:16
mads@kiilerich.com
repogroups: fix HTML markup of descriptions

Repogroup descriptions were not urlified like repo descriptions are. That
caused incorrect rendering with posibility of XSS.

The problem was introduced in 0.4.0 with 6db3122e4d75.

Thanks to stypr of Flatt Security for reporting this vulnerability.
1 file changed with 1 insertions and 1 deletions:
kallithea/model/repo.py
1
1
0 comments (0 inline, 0 general)
kallithea/model/repo.py
Show inline comments
 
@@ -171,7 +171,7 @@ class RepoModel(object):
 
                raw_name='\0' + gr.name, # sort before repositories
 
                just_name=gr.name,
 
                name=_render('group_name_html', group_name=gr.group_name, name=gr.name),
 
                desc=gr.group_description))
 
                desc=desc(gr.group_description)))
 

			




	
	
	
		
 
        for repo in repos_list:

			




	
	
	
		
 
            if not HasRepoPermissionLevel('read')(repo.repo_name, 'get_repos_as_dict check'):

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        Server instance: clio-24651
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.
            – Support