##// END OF EJS Templates
security: fix self xss on repo downloads picker for svn case.
ergo -
r2330:354d2073 default
parent child Browse files
Show More
@@ -102,11 +102,12 b''
102 // on change of download options
102 // on change of download options
103 $('#download_options').on('change', function(e) {
103 $('#download_options').on('change', function(e) {
104 // format of Object {text: "v0.0.3", type: "tag", id: "rev"}
104 // format of Object {text: "v0.0.3", type: "tag", id: "rev"}
105 var ext = '.zip';
105 var selected_cs = e.added;
106 var selected_cs = e.added;
106 var fname= e.added.raw_id + ".zip";
107 var fname = e.added.raw_id + ext;
107 var href = pyroutes.url('repo_archivefile', {'repo_name': templateContext.repo_name, 'fname':fname});
108 var href = pyroutes.url('repo_archivefile', {'repo_name': templateContext.repo_name, 'fname':fname});
108 // set new label
109 // set new label
109 $('#archive_link').html('<i class="icon-archive"></i> '+ e.added.text+".zip");
110 $('#archive_link').html('<i class="icon-archive"></i> {0}{1}'.format(escapeHtml(e.added.text), ext));
110
111
111 // set new url to button,
112 // set new url to button,
112 $('#archive_link').attr('href', href)
113 $('#archive_link').attr('href', href)
General Comments 0
You need to be logged in to leave comments. Login now