# HG changeset patch
# User Marcin Lulek <mlulek@rhodecode.com>
# Date 2017-06-17 14:06:06
# Node ID 86482ba7e83398d702c72bac53e4efc161fa30b2
# Parent  e5a0601cd7ed0ad71abe0796ad171460e3a4cfd7

security: fix self-xss inside repo strip view.

diff --git a/rhodecode/apps/repository/views/repo_strip.py b/rhodecode/apps/repository/views/repo_strip.py
--- a/rhodecode/apps/repository/views/repo_strip.py
+++ b/rhodecode/apps/repository/views/repo_strip.py
@@ -23,6 +23,7 @@ from pyramid.view import view_config
 
 from rhodecode.apps._base import RepoAppView
 from rhodecode.lib import audit_logger
+from rhodecode.lib import helpers as h
 from rhodecode.lib.auth import (LoginRequired, HasRepoPermissionAnyDecorator,
     NotAnonymous)
 from rhodecode.lib.ext_json import json
@@ -64,10 +65,11 @@ class StripView(RepoAppView):
         for i in range(1, 11):
             chset = 'changeset_id-%d' % (i,)
             check = rp.get(chset)
+
             if check:
                 data[i] = self.db_repo.get_changeset(rp[chset])
                 if isinstance(data[i], EmptyCommit):
-                    data[i] = {'rev': None, 'commit': rp[chset]}
+                    data[i] = {'rev': None, 'commit': h.escape(rp[chset])}
                 else:
                     data[i] = {'rev': data[i].raw_id, 'branch': data[i].branch,
                                'author': data[i].author,