# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2018-12-27 16:38:19
# Node ID ac49245538176fc707504adbc0753416de9750b9
# Parent  e2c979bce8420a56e1391d83800499bb7ec9f269

security: fixed xss in context diff menu.

diff --git a/rhodecode/templates/codeblocks/diffs.mako b/rhodecode/templates/codeblocks/diffs.mako
--- a/rhodecode/templates/codeblocks/diffs.mako
+++ b/rhodecode/templates/codeblocks/diffs.mako
@@ -909,6 +909,8 @@ def get_comments_for(diff_type, comments
             };
 
             var animateText =  $.debounce(100, function(fPath, anchorId) {
+                fPath = Select2.util.escapeMarkup(fPath);
+
                 // animate setting the text
                 var callback = function () {
                     $('.fpath-placeholder-text').animate({'opacity': 1.00}, 200)