# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2019-08-26 14:58:25
# Node ID dadcfb437043f2a4e52847edea36281df3635ab7
# Parent  49be39108b7940be5b3c3713e6bf5be370d8baea

security: fixed XSS in file editing.

diff --git a/rhodecode/apps/repository/views/repo_files.py b/rhodecode/apps/repository/views/repo_files.py
--- a/rhodecode/apps/repository/views/repo_files.py
+++ b/rhodecode/apps/repository/views/repo_files.py
@@ -1230,7 +1230,7 @@ class RepoFilesView(RepoAppView):
         default_redirect_url = h.route_path('repo_commit', repo_name=self.db_repo_name,
                                             commit_id=commit_id)
         if content == old_content and node_path == org_node_path:
-            h.flash(_('No changes detected on {}').format(org_node_path),
+            h.flash(_('No changes detected on {}').format(h.escape(org_node_path)),
                     category='warning')
             raise HTTPFound(default_redirect_url)