Files @ 04e44ea05c5f
Branch filter:

Location: kallithea/.hgignore

04e44ea05c5f 341 B text/plain Show Annotation Show as Raw Download as Raw
Thomas De Schampheleire
compare: prevent XSS due to unescaped branch/tag/bookmark names

In the revision selection dropdown of the 'Compare' functionality, the
branch/tag/bookmark names were not correctly escaped.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
syntax: glob
*.pyc
*.swp
*.sqlite
*.tox
*.egg-info
*.egg
*.mo
.eggs/
tarballcache/

syntax: regexp
^rcextensions
^build
^dist/
^docs/build/
^docs/_build/
^data$
^kallithea/tests/data$
^sql_dumps/
^\.settings$
^\.project$
^\.pydevproject$
^\.coverage$
^kallithea\.db$
^test\.db$
^Kallithea\.egg-info$
^my\.ini$
^fabfile.py
^\.idea$
^\.cache$
Server instance: clio-5338 This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3. – Support