rhodecode-enterprise-ce Commit - r2179:a3d55bf9

select2: always escape .text attributes to prevent XSS via...

ergo -

r2179:a3d55bf9 default

parent child

rhodecode/public/js/src/rhodecode.js

0 +1 -1

                } else if (commit_ref.type === 'book'){
                  tmpl = tmpl.concat('<i class="icon-bookmark"></i> ');
                }
-               return tmpl.concat(commit_ref.text);
+               return tmpl.concat(escapeHtml(commit_ref.text));
              };
              // takes a given html element and scrolls it down offset pixels

rhodecode/public/js/src/rhodecode/select2_widgets.js

0 +1 -3

                $(targetElement).select2({
                  cachedDataSource: {},
                  dropdownAutoWidth: true,
-                 formatResult: formatResult,
                  width: "resolve",
                  containerCssClass: "drop-menu",
                  dropdownCssClass: "drop-menu-dropdown",
                      });
                    }
                  },
                  initSelection: function(element, callback) {
                    callback(initialData);
                  },
+                 formatResult: formatResult,
                  formatSelection: formatSelection
                });

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages