Issue #76: HTML injections in file browser (conservancy/kallithea)

Andrew Shadura Wed, 14 Jan 2015 08:31:46 -0800

New issue 76: HTML injections in file browser
https://bitbucket.org/conservancy/kallithea/issue/76/html-injections-in-file-browser


Andrew Shadura:

It is possible to inject HTML code by creating files with special names:

![2015-01-14-170504_101x127_scrot.png](https://bitbucket.org/repo/EaGrMn/images/738017563-2015-01-14-170504_101x127_scrot.png)

```
#!html

        
        <a class="browser-dir ypjax-link" 
href="/andrewsh-test/files/31d422b9e65a409dbee17bfe574cb9800ab91a07/%26middot%3B"><i
 class="icon-folder-open"></i><span>&middot;</span></a>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                </tr>
                <tr class="parity1">
                     <td>
                         
    
    
        
        <a class="browser-dir ypjax-link" 
href="/andrewsh-test/files/31d422b9e65a409dbee17bfe574cb9800ab91a07/%3Cimg%20src%3D%22eee.png%22%3E"><i
 class="icon-folder-open"></i><span><img src="eee.png"></span></a>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                </tr>
                <tr class="parity0">
                     <td>
```

A repository patch to create such files attached.


_______________________________________________
kallithea-general mailing list
[email protected]
http://lists.sfconservancy.org/mailman/listinfo/kallithea-general

Issue #76: HTML injections in file browser (conservancy/kallithea)

Reply via email to