[PATCH] models: Add commit_url_format to Project

Andrew Donnellan ajd at linux.ibm.com
Thu Aug 22 13:58:48 AEST 2019

On 22/8/19 11:55 am, Daniel Axtens wrote:
> It looks like you're going to do a v2 anyway to mesh with Andrew's
> changes - please could you pop in update to the fixtures that
> demonstrates/exercises this?
> I've had a look at the mark_safe bit. I don't love it - it allows
> someone with priv-esc to admin to XSS everyone who visits a patch
> page. Having said that I'm not entirely sure what the best way to handle
> it is. Andrew you did a few follow-up patches for our XSS adventures -
> do you have any thoughts?

I think you probably want to wrap the 
patch.project.commit_url_format.format(commit=commit) in an escape.

Andrew Donnellan              OzLabs, ADL Canberra
ajd at linux.ibm.com             IBM Australia Limited

More information about the Patchwork mailing list