Issue #76: HTML injections in file browser (conservancy/kallithea)
Andrew Shadura
issues-reply at bitbucket.org
Wed Jan 14 11:10:29 EST 2015
New issue 76: HTML injections in file browser
https://bitbucket.org/conservancy/kallithea/issue/76/html-injections-in-file-browser
Andrew Shadura:
It is possible to inject HTML code by creating files with special names:
```
#!html
<a class="browser-dir ypjax-link" href="/andrewsh-test/files/31d422b9e65a409dbee17bfe574cb9800ab91a07/%26middot%3B"><i class="icon-folder-open"></i><span>·</span></a>
</td>
<td>
</td>
<td>
</td>
<td>
</td>
<td>
</td>
<td>
</td>
</tr>
<tr class="parity1">
<td>
<a class="browser-dir ypjax-link" href="/andrewsh-test/files/31d422b9e65a409dbee17bfe574cb9800ab91a07/%3Cimg%20src%3D%22eee.png%22%3E"><i class="icon-folder-open"></i><span><img src="eee.png"></span></a>
</td>
<td>
</td>
<td>
</td>
<td>
</td>
<td>
</td>
<td>
</td>
</tr>
<tr class="parity0">
<td>
```
A repository patch to create such files attached.
More information about the kallithea-general
mailing list