# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2017-06-06 07:30:12
# Node ID 7a1d008dc6b6e0d0e0dd6b32fef61df394272227
# Parent  fa40b1850f15eba2065cf5591dff3bc9a5305ea2

security: fixed XSS inside the tooltip for author string.

diff --git a/rhodecode/lib/helpers.py b/rhodecode/lib/helpers.py
--- a/rhodecode/lib/helpers.py
+++ b/rhodecode/lib/helpers.py
@@ -894,7 +894,8 @@ def author_string(email):
         user = User.get_by_email(email, case_insensitive=True, cache=True)
         if user:
             if user.firstname or user.lastname:
-                return '%s %s &lt;%s&gt;' % (user.firstname, user.lastname, email)
+                return '%s %s &lt;%s&gt;' % (
+                    escape(user.firstname), escape(user.lastname), email)
             else:
                 return email
         else: