Files @ 603f5f7c323d
Branch filter:

Location: kallithea/.travis.yml

603f5f7c323d 834 B application/yaml Show Annotation Show as Raw Download as Raw
Thomas De Schampheleire
pullrequests: prevent XSS in 'Potential Reviewers' list when first and last names cannot be trusted

If a user first or last name contains javascript, these fields need proper
escaping to avoid XSS attacks.

An example scenario is:
- the malicious user creates a repository. This will cause this user to be
listed automatically under 'Potential Reviewers' in pull requests.
- another user creates a pull request on that repository and selects the
suggested reviewer from the 'Potential Reviewers' list.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).


Technical note: the other caller of addReviewMember in base.js itself does
_not_ need to be adapted to escape the input values, because the input
values (oData) are _already_ escaped (by the YUI framework).
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
language: python
python:
  - "2.6"
  - "2.7"

env:  
  - TEST_DB=sqlite:////tmp/kallithea_test.sqlite
  - TEST_DB=mysql://root@127.0.0.1/kallithea_test
  - TEST_DB=postgresql://postgres@127.0.0.1/kallithea_test

services:
  - mysql
  - postgresql

# command to install dependencies
before_script:
  - mysql -e 'create database kallithea_test;'
  - psql -c 'create database kallithea_test;' -U postgres
  - git --version

before_install:
  - sudo apt-get remove git
  - sudo add-apt-repository ppa:pdoes/ppa -y
  - sudo apt-get update -y
  - sudo apt-get install git -y

install:
  - pip install mysql-python psycopg2 mock unittest2
  - pip install . --use-mirrors

# command to run tests
script: nosetests

notifications:
    email:
        - ci@kallithea-scm.org
    irc: "irc.freenode.org#kallithea"

branches:
  only:
    - master
Server instance: clio-6727 This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3. – Support