On 22/8/19 11:55 am, Daniel Axtens wrote:
It looks like you're going to do a v2 anyway to mesh with Andrew's
changes - please could you pop in update to the fixtures that
demonstrates/exercises this?
I've had a look at the mark_safe bit. I don't love it - it allows
someone with priv-esc to admin to XSS everyone who visits a patch
page. Having said that I'm not entirely sure what the best way to handle
it is. Andrew you did a few follow-up patches for our XSS adventures -
do you have any thoughts?
I think you probably want to wrap the
patch.project.commit_url_format.format(commit=commit) in an escape.
--
Andrew Donnellan OzLabs, ADL Canberra
a...@linux.ibm.com IBM Australia Limited
_______________________________________________
Patchwork mailing list
Patchwork@lists.ozlabs.org
https://lists.ozlabs.org/listinfo/patchwork
