# HG changeset patch # User Marcin Kuzminski # Date 2019-08-26 14:58:25 # Node ID dadcfb437043f2a4e52847edea36281df3635ab7 # Parent 49be39108b7940be5b3c3713e6bf5be370d8baea security: fixed XSS in file editing. diff --git a/rhodecode/apps/repository/views/repo_files.py b/rhodecode/apps/repository/views/repo_files.py --- a/rhodecode/apps/repository/views/repo_files.py +++ b/rhodecode/apps/repository/views/repo_files.py @@ -1230,7 +1230,7 @@ class RepoFilesView(RepoAppView): default_redirect_url = h.route_path('repo_commit', repo_name=self.db_repo_name, commit_id=commit_id) if content == old_content and node_path == org_node_path: - h.flash(_('No changes detected on {}').format(org_node_path), + h.flash(_('No changes detected on {}').format(h.escape(org_node_path)), category='warning') raise HTTPFound(default_redirect_url)