Author: Lukas Fleischer <cgit@cryptocrack.de>
Fix potential XSS vulnerability in rename hint The file name displayed in the rename hint should be escaped to avoid XSS. Note that this vulnerability is only applicable when an attacker has gained push access to the repository. Signed-off-by: Lukas Fleischer <cgit@cryptocrack.de> Signed-off-by: Lars Hjemli <hjemli@gmail.com>
ui-diff.c | 10 ++++++----
diff --git a/ui-diff.c b/ui-diff.c index d21541bd4d2b79d19222fc9dd09ae14e70d59e51..383a5347c2dbcb1ca9ae2bea53539a68d3ca94a3 100644 --- a/ui-diff.c +++ b/ui-diff.c @@ -97,10 +97,12 @@ } htmlf("</td><td class='%s'>", class); cgit_diff_link(info->new_path, NULL, NULL, ctx.qry.head, ctx.qry.sha1, ctx.qry.sha2, info->new_path, 0); - if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) - htmlf(" (%s from %s)", - info->status == DIFF_STATUS_COPIED ? "copied" : "renamed", - info->old_path); + if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) { + htmlf(" (%s from ", + info->status == DIFF_STATUS_COPIED ? "copied" : "renamed"); + html_txt(info->old_path); + html(")"); + } html("</td><td class='right'>"); if (info->binary) { htmlf("bin</td><td class='graph'>%ld -> %ld bytes",