# HG changeset patch
# User Milka Kuzminski <milka@rhodecode.com>
# Date 2021-03-16 11:19:15
# Node ID 9012cc2f6396f30e5423ad026dc3e8bb0f97dd8e
# Parent  9db216d5e579c1ce0518123cd7fdbfadb9eb6379

pull-requests: fixed some xss problems with odd filenames.

diff --git a/rhodecode/public/js/src/rhodecode/comments.js b/rhodecode/public/js/src/rhodecode/comments.js
--- a/rhodecode/public/js/src/rhodecode/comments.js
+++ b/rhodecode/public/js/src/rhodecode/comments.js
@@ -1331,7 +1331,7 @@ var CommentsController = function() {
 
           // There aren't any comments, we init the `.inline-comments` with `reply-thread-container` first
           if ($comments.length===0) {
-            var replBtn = '<button class="cb-comment-add-button" onclick="return Rhodecode.comments.createComment(this, \'{0}\', \'{1}\', null)">Reply...</button>'.format(f_path, line_no)
+            var replBtn = '<button class="cb-comment-add-button" onclick="return Rhodecode.comments.createComment(this, \'{0}\', \'{1}\', null)">Reply...</button>'.format(escapeHtml(f_path), line_no)
             var $reply_container = $('#cb-comments-inline-container-template')
             $reply_container.find('button.cb-comment-add-button').replaceWith(replBtn);
             $td.append($($reply_container).html());
diff --git a/rhodecode/templates/ejs_templates/templates.html b/rhodecode/templates/ejs_templates/templates.html
--- a/rhodecode/templates/ejs_templates/templates.html
+++ b/rhodecode/templates/ejs_templates/templates.html
@@ -221,7 +221,7 @@ if (show_disabled) {
                 <%= version_info %>
             <% } %>
             <br/>
-            File: <code><%- file_name -%></code>
+            File: <code><%= file_name -%></code>
         <% } else { %>
             <% if (review_status) { %>
                 <i class="icon-circle review-status-<%= review_status %>"></i>