# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2018-02-07 21:57:10
# Node ID 0fd8208e0f93ff7810c9c7a8ac69f2468b56ea51
# Parent  db577a02545f46d5b5b382914b2c4c2d4f771667

sec: serialize the repo name in repo checks to prevent potential html injections.

diff --git a/rhodecode/apps/repository/views/repo_checks.py b/rhodecode/apps/repository/views/repo_checks.py
--- a/rhodecode/apps/repository/views/repo_checks.py
+++ b/rhodecode/apps/repository/views/repo_checks.py
@@ -27,6 +27,7 @@ from rhodecode.apps._base import BaseApp
 from rhodecode.lib import helpers as h
 from rhodecode.lib.auth import (NotAnonymous, HasRepoPermissionAny)
 from rhodecode.model.db import Repository
+from rhodecode.model.validation_schema.types import RepoNameType
 
 log = logging.getLogger(__name__)
 
@@ -43,8 +44,8 @@ class RepoChecksView(BaseAppView):
         renderer='rhodecode:templates/admin/repos/repo_creating.mako')
     def repo_creating(self):
         c = self.load_default_context()
-
         repo_name = self.request.matchdict['repo_name']
+        repo_name = RepoNameType().deserialize(None, repo_name)
         db_repo = Repository.get_by_repo_name(repo_name)
 
         # check if maybe repo is already created