# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2018-09-01 00:50:29
# Node ID 6936fe23f2918a3e9e0ed37926401713a8bfd347
# Parent  97626a528377172e767004be28e288b5990dc1ac

changelog: escape the graph branch name to prevent XSS.

diff --git a/rhodecode/apps/repository/views/repo_changelog.py b/rhodecode/apps/repository/views/repo_changelog.py
--- a/rhodecode/apps/repository/views/repo_changelog.py
+++ b/rhodecode/apps/repository/views/repo_changelog.py
@@ -89,7 +89,7 @@ class RepoChangelogView(RepoAppView):
             data = dict(
                 raw_id=commit.raw_id,
                 idx=commit.idx,
-                branch=commit.branch,
+                branch=h.escape(commit.branch),
             )
             if parents:
                 data['parents'] = [