[PATCH] models: Add commit_url_format to Project
Andrew Donnellan
ajd at linux.ibm.com
Thu Aug 22 13:58:48 AEST 2019
On 22/8/19 11:55 am, Daniel Axtens wrote:
> It looks like you're going to do a v2 anyway to mesh with Andrew's
> changes - please could you pop in update to the fixtures that
> demonstrates/exercises this?
>
> I've had a look at the mark_safe bit. I don't love it - it allows
> someone with priv-esc to admin to XSS everyone who visits a patch
> page. Having said that I'm not entirely sure what the best way to handle
> it is. Andrew you did a few follow-up patches for our XSS adventures -
> do you have any thoughts?
I think you probably want to wrap the
patch.project.commit_url_format.format(commit=commit) in an escape.
--
Andrew Donnellan OzLabs, ADL Canberra
ajd at linux.ibm.com IBM Australia Limited
More information about the Patchwork
mailing list