Files @ 22da5f258118
Branch filter:

Location: kallithea/MANIFEST.in

22da5f258118 1.1 KiB text/plain Show Annotation Show as Raw Download as Raw
mads
pullrequests: prevent XSS in 'Potential Reviewers' list when first and last names cannot be trusted

The user information passed to autocompleteFormatter from select2 is the raw
data which might contain HTML markup controlled by the user.

That could cause XSS issues, already when loading a PR page.

To avoid that, make sure autocompleteHighlightMatch always escape user
information. That makes the user safe as long as a rogue user isn't selected ...
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
include           .coveragerc
include           Apache-License-2.0.txt
include           CONTRIBUTORS
include           COPYING
include           Jenkinsfile
include           LICENSE-MERGELY.html
include           LICENSE.md
include           MIT-Permissive-License.txt
include           README.rst
include           dev_requirements.txt
include           development.ini
include           pytest.ini
include           requirements.txt
include           tox.ini
recursive-include docs *
recursive-include init.d *
recursive-include kallithea/alembic *
include           kallithea/bin/ldap_sync.conf
include           kallithea/lib/paster_commands/template.ini.mako
recursive-include kallithea/front-end *
recursive-include kallithea/i18n *
recursive-include kallithea/public *
recursive-include kallithea/templates *
recursive-include kallithea/tests/fixtures *
recursive-include kallithea/tests/scripts *
include           kallithea/tests/models/test_dump_html_mails.ref.html
include           kallithea/tests/performance/test_vcs.py
include           kallithea/tests/vcs/aconfig
recursive-include scripts *
Server instance: clio-6007 This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3. – Support