From 773db535e5f42a68978f951962b4eeb3993843f1 Mon Sep 17 00:00:00 2001
From: Michael Scherer <misc@redhat.com>
Date: Jul 18 2018 13:21:28 +0000
Subject: Escape html in author name


Prevent XSS by using a crafted author name with html and javascript
later on the commit page, since that is marked as safe and so not escaped

Another fix for CVE-2018-1002155

Signed-off-by: Michael Scherer <misc@redhat.com>

---

diff --git a/pagure/ui/filters.py b/pagure/ui/filters.py
index e90d6b7..db89e8f 100644
--- a/pagure/ui/filters.py
+++ b/pagure/ui/filters.py
@@ -26,6 +26,7 @@ from pygments import highlight
 from pygments.lexers.text import DiffLexer
 from pygments.formatters import HtmlFormatter
 from pygments.filters import VisibleWhitespaceFilter
+from jinja2 import escape
 
 import pagure.exceptions
 import pagure.lib
@@ -466,7 +467,7 @@ def author_to_user(author, size=16, cssclass=None, with_name=True):
     """ Template filter transforming a pygit2 Author object into a text
     either with just the username or linking to the user in pagure.
     """
-    output = author.name
+    output = escape(author.name)
     if not author.email:
         return output
     user = pagure.lib.search_user(flask.g.session, email=author.email)
@@ -484,7 +485,7 @@ def author_to_user(author, size=16, cssclass=None, with_name=True):
                     'ui_ns.view_user', username=user.username),
                 'cssclass': ('class="%s"' % cssclass) if cssclass else '',
                 'username': user.username,
-                'name': author.name,
+                'name': escape(author.name),
             }
         )