##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
security: use safe escaped version of description for repo and repo group to potentially...
ergo -
r1830:d786fdd7 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1026,6 +1026,11 b' class UserApiKeys(Base, BaseModel):'
1026 1026 data['auth_token'] = self.token_obfuscated
1027 1027 return data
1028 1028
1029 @hybrid_property
1030 def description_safe(self):
1031 from rhodecode.lib import helpers as h
1032 return h.escape(self.description)
1033
1029 1034 @property
1030 1035 def expired(self):
1031 1036 if self.expires == -1:
@@ -1111,6 +1116,11 b' class UserIpMap(Base, BaseModel):'
1111 1116 description = Column("description", String(10000), nullable=True, unique=None, default=None)
1112 1117 user = relationship('User', lazy='joined')
1113 1118
1119 @hybrid_property
1120 def description_safe(self):
1121 from rhodecode.lib import helpers as h
1122 return h.escape(self.description)
1123
1114 1124 @classmethod
1115 1125 def _get_ip_range(cls, ip_addr):
1116 1126 net = ipaddress.ip_network(ip_addr, strict=False)
@@ -1199,6 +1209,11 b' class UserGroup(Base, BaseModel):'
1199 1209 user = relationship('User')
1200 1210
1201 1211 @hybrid_property
1212 def description_safe(self):
1213 from rhodecode.lib import helpers as h
1214 return h.escape(self.description)
1215
1216 @hybrid_property
1202 1217 def group_data(self):
1203 1218 if not self._group_data:
1204 1219 return {}
@@ -1496,6 +1511,11 b' class Repository(Base, BaseModel):'
1496 1511 safe_unicode(self.repo_name))
1497 1512
1498 1513 @hybrid_property
1514 def description_safe(self):
1515 from rhodecode.lib import helpers as h
1516 return h.escape(self.description)
1517
1518 @hybrid_property
1499 1519 def landing_rev(self):
1500 1520 # always should return [rev_type, rev]
1501 1521 if self._landing_revision:
@@ -1805,7 +1825,7 b' class Repository(Base, BaseModel):'
1805 1825 'url': RepoModel().get_url(self),
1806 1826 'private': repo.private,
1807 1827 'created_on': repo.created_on,
1808 'description': repo.description,
1828 'description': repo.description_safe,
1809 1829 'landing_rev': repo.landing_rev,
1810 1830 'owner': repo.user.username,
1811 1831 'fork_of': repo.fork.repo_name if repo.fork else None,
@@ -2204,8 +2224,13 b' class RepoGroup(Base, BaseModel):'
2204 2224 self.parent_group = parent_group
2205 2225
2206 2226 def __unicode__(self):
2207 return u"<%s('id:%s:%s')>" % (self.__class__.__name__, self.group_id,
2208 self.group_name)
2227 return u"<%s('id:%s:%s')>" % (
2228 self.__class__.__name__, self.group_id, self.group_name)
2229
2230 @hybrid_property
2231 def description_safe(self):
2232 from rhodecode.lib import helpers as h
2233 return h.escape(self.group_description)
2209 2234
2210 2235 @classmethod
2211 2236 def _generate_choice(cls, repo_group):
@@ -2436,7 +2461,7 b' class RepoGroup(Base, BaseModel):'
2436 2461 data = {
2437 2462 'group_id': group.group_id,
2438 2463 'group_name': group.group_name,
2439 'group_description': group.group_description,
2464 'group_description': group.description_safe,
2440 2465 'parent_group': group.parent_group.group_name if group.parent_group else None,
2441 2466 'repositories': [x.repo_name for x in group.repositories],
2442 2467 'owner': group.user.username,
@@ -3303,6 +3328,11 b' class _PullRequestBase(BaseModel):'
3303 3328 return json.dumps(self.reviewer_data)
3304 3329
3305 3330 @hybrid_property
3331 def description_safe(self):
3332 from rhodecode.lib import helpers as h
3333 return h.escape(self.description)
3334
3335 @hybrid_property
3306 3336 def revisions(self):
3307 3337 return self._revisions.split(':') if self._revisions else []
3308 3338
@@ -3739,6 +3769,11 b' class Gist(Base, BaseModel):'
3739 3769 def __repr__(self):
3740 3770 return '<Gist:[%s]%s>' % (self.gist_type, self.gist_access_id)
3741 3771
3772 @hybrid_property
3773 def description_safe(self):
3774 from rhodecode.lib import helpers as h
3775 return h.escape(self.gist_description)
3776
3742 3777 @classmethod
3743 3778 def get_or_404(cls, id_, pyramid_exc=False):
3744 3779
Show file before | Show file after | Hide comments
@@ -1295,7 +1295,7 b' class PullRequestModel(BaseModel):'
1295 1295 'lastname': repo.user.last_name,
1296 1296 'gravatar_link': h.gravatar_url(repo.user.email, 14),
1297 1297 },
1298 'description': h.chop_at_smart(repo.description, '\n'),
1298 'description': h.chop_at_smart(repo.description_safe, '\n'),
1299 1299 'refs': {
1300 1300 'all_refs': all_refs,
1301 1301 'selected_ref': selected_ref,
Show file before | Show file after | Hide comments
@@ -257,7 +257,7 b' class RepoModel(BaseModel):'
257 257 "last_changeset": last_rev(repo.repo_name, cs_cache),
258 258 "last_changeset_raw": cs_cache.get('revision'),
259 259
260 "desc": desc(repo.description),
260 "desc": desc(repo.description_safe),
261 261 "owner": user_profile(repo.user.username),
262 262
263 263 "state": state(repo.repo_state),
Show file before | Show file after | Hide comments
@@ -711,7 +711,7 b' class RepoGroupModel(BaseModel):'
711 711 "menu": quick_menu(group.group_name),
712 712 "name": repo_group_lnk(group.group_name),
713 713 "name_raw": group.group_name,
714 "desc": desc(group.group_description, group.personal),
714 "desc": desc(group.description_safe, group.personal),
715 715 "top_level_repos": 0,
716 716 "owner": user_profile(group.user.username)
717 717 }
General Comments 0
You need to be logged in to leave comments. Login now