# HG changeset patch # User Daniel Dourvaris # Date 2016-10-06 12:38:49 # Node ID 3d0f257a78027c20600377f377d7c8d72c84272e # Parent e21444cc7a8263f9bbfa91c26d25f5b0f8c41746 hipchat: escape user entered data to avoid xss/formatting problems diff --git a/rhodecode/integrations/types/hipchat.py b/rhodecode/integrations/types/hipchat.py --- a/rhodecode/integrations/types/hipchat.py +++ b/rhodecode/integrations/types/hipchat.py @@ -161,7 +161,7 @@ class HipchatIntegrationType(Integration comment_text = data['comment']['text'] if len(comment_text) > 200: comment_text = '{comment_text}...'.format( - comment_text=comment_text[:200], + comment_text=h.html_escape(comment_text[:200]), comment_url=data['comment']['url'], ) @@ -179,8 +179,8 @@ class HipchatIntegrationType(Integration number=data['pullrequest']['pull_request_id'], pr_url=data['pullrequest']['url'], pr_status=data['pullrequest']['status'], - pr_title=data['pullrequest']['title'], - comment_text=comment_text + pr_title=h.html_escape(data['pullrequest']['title']), + comment_text=h.html_escape(comment_text) ) ) @@ -193,7 +193,7 @@ class HipchatIntegrationType(Integration number=data['pullrequest']['pull_request_id'], pr_url=data['pullrequest']['url'], pr_status=data['pullrequest']['status'], - pr_title=data['pullrequest']['title'], + pr_title=h.html_escape(data['pullrequest']['title']), ) ) @@ -210,7 +210,7 @@ class HipchatIntegrationType(Integration user=data['actor']['username'], number=data['pullrequest']['pull_request_id'], url=data['pullrequest']['url'], - title=data['pullrequest']['title'], + title=h.html_escape(data['pullrequest']['title']), action=action ) @@ -238,7 +238,7 @@ class HipchatIntegrationType(Integration def format_repo_create_event(self, data): return '{} ({}) repository created by {}'.format( data['repo']['url'], - data['repo']['repo_name'], + h.html_escape(data['repo']['repo_name']), data['repo']['repo_type'], data['actor']['username'], )