# HG changeset patch # User Marcin Kuzminski # Date 2017-12-07 12:04:16 # Node ID a18c6a2fa0d13b2d478c070ec845f44da55e182b # Parent 91f896eefc031ff07bd3588e2469c0329ce8ed36 issue-trackers: bleach.clean the url entry to avoid JS injections. diff --git a/rhodecode/model/settings.py b/rhodecode/model/settings.py --- a/rhodecode/model/settings.py +++ b/rhodecode/model/settings.py @@ -23,6 +23,7 @@ import hashlib import logging from collections import namedtuple from functools import wraps +import bleach from rhodecode.lib import caches from rhodecode.lib.utils2 import ( @@ -344,10 +345,14 @@ class IssueTrackerSettingsModel(object): # populate for uid in issuetracker_entries: issuetracker_entries[uid] = AttributeDict({ - 'pat': qs.get(self._get_keyname('pat', uid, 'rhodecode_')), - 'url': qs.get(self._get_keyname('url', uid, 'rhodecode_')), - 'pref': qs.get(self._get_keyname('pref', uid, 'rhodecode_')), - 'desc': qs.get(self._get_keyname('desc', uid, 'rhodecode_')), + 'pat': qs.get( + self._get_keyname('pat', uid, 'rhodecode_')), + 'url': bleach.clean( + qs.get(self._get_keyname('url', uid, 'rhodecode_')) or ''), + 'pref': qs.get( + self._get_keyname('pref', uid, 'rhodecode_')), + 'desc': qs.get( + self._get_keyname('desc', uid, 'rhodecode_')), }) return issuetracker_entries