# HG changeset patch # User Marcin Kuzminski # Date 2020-06-12 07:39:58 # Node ID 84bf794f286177ec1969a0ef56d18fd1b3f388e3 # Parent b8cc803a11ccdd625cc72de8f4e4c82e951a1785 branch-permissions: fixed XSS for special named rules diff --git a/rhodecode/apps/repository/views/repo_files.py b/rhodecode/apps/repository/views/repo_files.py --- a/rhodecode/apps/repository/views/repo_files.py +++ b/rhodecode/apps/repository/views/repo_files.py @@ -125,7 +125,7 @@ class RepoFilesView(RepoAppView): self.db_repo_name, branch_name) if branch_perm and branch_perm not in ['branch.push', 'branch.push_force']: message = _('Branch `{}` changes forbidden by rule {}.').format( - branch_name, rule) + h.escape(branch_name), rule) h.flash(message, 'warning') if json_mode: