# HG changeset patch # User Marcin Kuzminski # Date 2018-12-27 16:38:19 # Node ID ac49245538176fc707504adbc0753416de9750b9 # Parent e2c979bce8420a56e1391d83800499bb7ec9f269 security: fixed xss in context diff menu. diff --git a/rhodecode/templates/codeblocks/diffs.mako b/rhodecode/templates/codeblocks/diffs.mako --- a/rhodecode/templates/codeblocks/diffs.mako +++ b/rhodecode/templates/codeblocks/diffs.mako @@ -909,6 +909,8 @@ def get_comments_for(diff_type, comments }; var animateText = $.debounce(100, function(fPath, anchorId) { + fPath = Select2.util.escapeMarkup(fPath); + // animate setting the text var callback = function () { $('.fpath-placeholder-text').animate({'opacity': 1.00}, 200)