# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2019-08-26 14:58:25
# Node ID 01c5c83d419ccf6f0dd38ca40b86141329661d11
# Parent  eb26e862995c7ae198f727e3b359884de2b41eac

security: fixed XSS in file editing.

diff --git a/rhodecode/apps/repository/views/repo_files.py b/rhodecode/apps/repository/views/repo_files.py
--- a/rhodecode/apps/repository/views/repo_files.py
+++ b/rhodecode/apps/repository/views/repo_files.py
@@ -1250,7 +1250,7 @@ class RepoFilesView(RepoAppView):
         default_redirect_url = h.route_path('repo_commit', repo_name=self.db_repo_name,
                                             commit_id=commit_id)
         if content == old_content and node_path == org_node_path:
-            h.flash(_('No changes detected on {}').format(org_node_path),
+            h.flash(_('No changes detected on {}').format(h.escape(org_node_path)),
                     category='warning')
             raise HTTPFound(default_redirect_url)