pagure

Clone

#3733 Fix escaping on PR diffs
Merged 5 years ago by pingou. Opened 5 years ago by ryanlerch.
ryanlerch/pagure pr-diff-escaping  into  master

file modified
+4 -3 
@@ -224,17 +224,18 @@ 
 

                  output.append(
 

                      '<td class="cell2 stretch-table-column">\
 

                      <pre class="alert-success"><code>%s</code></pre></td>'
 

-                     % line
 

+                     % escape(line)
 

                  )
 

              elif line.startswith("-"):
 

                  output.append(
 

                      '<td class="cell2 stretch-table-column">\
 

                      <pre class="alert-danger"><code>%s</code></pre></td>'
 

-                     % line
 

+                     % escape(line)
 

                  )
 

          else:
 

              output.append(
 

-                 '<td class="cell2"><pre><code>%s</code></pre></td>' % line
 

+                 '<td class="cell2"><pre><code>%s</code></pre></td>'
 

+                 % (escape(line))
 

              )
 

  

          output.append("</tr>")

Fixes #3719

rebased onto 8153ebc6a44164d712395d76b6ca36338f9d8da9
5 years ago

rebased onto 1fffee7
5 years ago

Found and fix the style issue, I'm confident the tests will pass, so let's merge this one :)

Pull-Request has been merged by pingou
5 years ago

This commit looks like it fixes cross-site scripting vulnerabilities, therefore the update/version with this change should be promoted as a security update to ensure that all users know that it is important to update.

@till this has been released in 5.0.1 released on September 27th https://docs.pagure.org/pagure/changelog.html#id5 which was advertised as a security update.
Changes Summary 1
+4 -3
file changed
pagure/ui/filters.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.