# HG changeset patch
# User Marcin Lulek <mlulek@rhodecode.com>
# Date 2020-07-07 13:29:17
# Node ID 4213c7c16546bbf8824a00147688715055dcfa15
# Parent  13cb126d0c0c7a80d6a6e4248c454404ee401a16

branch-permissions: protect from XSS on branch rules forbidden flash message.

diff --git a/rhodecode/apps/repository/views/repo_files.py b/rhodecode/apps/repository/views/repo_files.py
--- a/rhodecode/apps/repository/views/repo_files.py
+++ b/rhodecode/apps/repository/views/repo_files.py
@@ -125,7 +125,7 @@ class RepoFilesView(RepoAppView):
             self.db_repo_name, branch_name)
         if branch_perm and branch_perm not in ['branch.push', 'branch.push_force']:
             message = _('Branch `{}` changes forbidden by rule {}.').format(
-                h.escape(branch_name), rule)
+                h.escape(branch_name), h.escape(rule))
             h.flash(message, 'warning')
 
             if json_mode: