rhodecode-enterprise-ce Commit - r1779:7a1d008d

security: fixed XSS inside the tooltip for author string.

marcink -

r1779:7a1d008d default

parent child

rhodecode/lib/helpers.py

0 +2 -1

                     user = User.get_by_email(email, case_insensitive=True, cache=True)
                     if user:
                         if user.firstname or user.lastname:
-                            return '%s %s &lt;%s&gt;' % (user.firstname, user.lastname, email)
+                            return '%s %s &lt;%s&gt;' % (
+                                escape(user.firstname), escape(user.lastname), email)
                         else:
                             return email
                     else:

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages