##// END OF EJS Templates
file-renderer: escape alt text to prevent XSS on binary files with bad filenames.
marcink -
r2993:97626a52 default
parent child Browse files
Show More
@@ -43,6 +43,7 b' from collections import OrderedDict'
43 43 import pygments
44 44 import itertools
45 45 import fnmatch
46 import bleach
46 47
47 48 from datetime import datetime
48 49 from functools import partial
@@ -1778,16 +1779,19 b' def render_binary(repo_name, file_obj):'
1778 1779 """
1779 1780 Choose how to render a binary file
1780 1781 """
1782
1781 1783 filename = file_obj.name
1782 1784
1783 1785 # images
1784 1786 for ext in ['*.png', '*.jpg', '*.ico', '*.gif']:
1785 1787 if fnmatch.fnmatch(filename, pat=ext):
1786 alt = filename
1788 alt = escape(filename)
1787 1789 src = route_path(
1788 1790 'repo_file_raw', repo_name=repo_name,
1789 commit_id=file_obj.commit.raw_id, f_path=file_obj.path)
1790 return literal('<img class="rendered-binary" alt="{}" src="{}">'.format(alt, src))
1791 commit_id=file_obj.commit.raw_id,
1792 f_path=file_obj.path)
1793 return literal(
1794 '<img class="rendered-binary" alt="{}" src="{}">'.format(alt, src))
1791 1795
1792 1796
1793 1797 def renderer_from_filename(filename, exclude=None):
General Comments 0
You need to be logged in to leave comments. Login now