# HG changeset patch
# User Marcin Lulek <mlulek@rhodecode.com>
# Date 2017-06-20 18:02:24
# Node ID 9e60361ccf6f5a28a1ef7b11a9b765b92d0314bc
# Parent  76aa36403fb318a53dc57e96c7cf69e20b5acc5c

security: escape the returned paths of files and directories.
Nodes function is used for autocomplete in files view, it prevents from
XSS type of attack in file search.

diff --git a/rhodecode/model/scm.py b/rhodecode/model/scm.py
--- a/rhodecode/model/scm.py
+++ b/rhodecode/model/scm.py
@@ -496,7 +496,7 @@ class ScmModel(BaseModel):
 
                     if not flat:
                         _data = {
-                            "name": f.unicode_path,
+                            "name": h.escape(f.unicode_path),
                             "type": "file",
                             }
                         if extended_info:
@@ -522,7 +522,7 @@ class ScmModel(BaseModel):
                     _data = d.unicode_path
                     if not flat:
                         _data = {
-                            "name": d.unicode_path,
+                            "name": h.escape(d.unicode_path),
                             "type": "dir",
                             }
                     if extended_info: