# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2020-06-12 07:39:58
# Node ID 84bf794f286177ec1969a0ef56d18fd1b3f388e3
# Parent  b8cc803a11ccdd625cc72de8f4e4c82e951a1785

branch-permissions: fixed XSS for special named rules

diff --git a/rhodecode/apps/repository/views/repo_files.py b/rhodecode/apps/repository/views/repo_files.py
--- a/rhodecode/apps/repository/views/repo_files.py
+++ b/rhodecode/apps/repository/views/repo_files.py
@@ -125,7 +125,7 @@ class RepoFilesView(RepoAppView):
             self.db_repo_name, branch_name)
         if branch_perm and branch_perm not in ['branch.push', 'branch.push_force']:
             message = _('Branch `{}` changes forbidden by rule {}.').format(
-                branch_name, rule)
+                h.escape(branch_name), rule)
             h.flash(message, 'warning')
 
             if json_mode: