~comcloudway/builds.sr.ht

ad161132303685d39d99d084ebeb23e014631c84 — Drew DeVault 2 years ago 91a8401
Escape names for build badges

This *looks* like an XSS vulnerability, but shouldn't be, because we
only show SVGs in <img> tags which are protected from XSS even when
served from the same domain.

However, it's still wrong, so let's fix the bug.
1 files changed, 3 insertions(+), 3 deletions(-)

M buildsrht/blueprints/jobs.py
M buildsrht/blueprints/jobs.py => buildsrht/blueprints/jobs.py +3 -3
@@ 154,11 154,11 @@ def svg_page(jobs):
            JobStatus.timeout]))
        .first())
    if not job:
        badge = badge_unknown.replace("__NAME__", name)
        badge = badge_unknown.replace("__NAME__", escape(name))
    elif job.status == JobStatus.success:
        badge = badge_success.replace("__NAME__", name)
        badge = badge_success.replace("__NAME__", escape(name))
    else:
        badge = badge_failure.replace("__NAME__", name)
        badge = badge_failure.replace("__NAME__", escape(name))
    return badge

@jobs.route("/")