# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2018-09-01 00:38:56
# Node ID 97626a528377172e767004be28e288b5990dc1ac
# Parent  634585945abee1d4c1532eb4bba050017f5dbae6

file-renderer: escape alt text to prevent XSS on binary files with bad filenames.

diff --git a/rhodecode/lib/helpers.py b/rhodecode/lib/helpers.py
--- a/rhodecode/lib/helpers.py
+++ b/rhodecode/lib/helpers.py
@@ -43,6 +43,7 @@ from collections import OrderedDict
 import pygments
 import itertools
 import fnmatch
+import bleach
 
 from datetime import datetime
 from functools import partial
@@ -1778,16 +1779,19 @@ def render_binary(repo_name, file_obj):
     """
     Choose how to render a binary file
     """
+
     filename = file_obj.name
 
     # images
     for ext in ['*.png', '*.jpg', '*.ico', '*.gif']:
         if fnmatch.fnmatch(filename, pat=ext):
-            alt = filename
+            alt = escape(filename)
             src = route_path(
                 'repo_file_raw', repo_name=repo_name,
-                commit_id=file_obj.commit.raw_id, f_path=file_obj.path)
-            return literal('<img class="rendered-binary" alt="{}" src="{}">'.format(alt, src))
+                commit_id=file_obj.commit.raw_id,
+                f_path=file_obj.path)
+            return literal(
+                '<img class="rendered-binary" alt="{}" src="{}">'.format(alt, src))
 
 
 def renderer_from_filename(filename, exclude=None):