diff --git a/rhodecode/lib/helpers.py b/rhodecode/lib/helpers.py
--- a/rhodecode/lib/helpers.py
+++ b/rhodecode/lib/helpers.py
@@ -219,6 +219,7 @@ class _ToolTip(object):
tooltip = _ToolTip()
+files_icon = icon = ''
def files_breadcrumbs(repo_name, commit_id, file_path, at_ref=None, limit_items=False):
if isinstance(file_path, str):
@@ -265,7 +266,7 @@ def files_breadcrumbs(repo_name, commit_
url_segments = limited_url_segments
full_path = file_path
- icon = ''.format(full_path)
+ icon = files_icon.format(escape(full_path))
if file_path == '':
return root_name
else:
diff --git a/rhodecode/tests/lib/test_helpers.py b/rhodecode/tests/lib/test_helpers.py
--- a/rhodecode/tests/lib/test_helpers.py
+++ b/rhodecode/tests/lib/test_helpers.py
@@ -40,27 +40,52 @@ def test_urlify_text(url, expected_url):
@pytest.mark.parametrize('repo_name, commit_id, path, expected_result', [
+ # Simple case 1
+ ('repo', 'commit', 'a/b',
+ ''
+ ' / '
+ 'a'
+ ' / '
+ 'b'),
+
+ # Simple case
('rXrX<X/'
- 'pX<X/'
- 'aX<X'
- '/bX<X'),
+ ''
+ ' / '
+ 'pX<X'
+ ' / '
+ 'aX<X'
+ ' / '
+ 'bX<X'),
+
# Path with only one segment
('rXrX<X/pX<X'),
+ ''
+ ' / '
+ 'pX<X'),
+
# Empty path
- ('rX'),
+
+ # simple quote
('rX"X', 'cX"X', 'pX"X/aX"X/bX"X',
- 'rX"X/'
- 'pX"X/'
- 'aX"X'
- '/bX"X'),
-], ids=['simple', 'one_segment', 'empty_path', 'simple_quote'])
+ ''
+ ' / '
+ 'pX"X'
+ ' / '
+ 'aX"X'
+ ' / '
+ 'bX"X'),
+
+], ids=['simple1', 'simple2', 'one_segment', 'empty_path', 'simple_quote'])
def test_files_breadcrumbs_xss(
repo_name, commit_id, path, app, expected_result):
result = helpers.files_breadcrumbs(repo_name, commit_id, path)
# Expect it to encode all path fragments properly. This is important
# because it returns an instance of `literal`.
+ if path != '':
+ expected_result = expected_result + helpers.files_icon.format(helpers.escape(path))
assert result == expected_result