Escape names for build badges This *looks* like an XSS vulnerability, but shouldn't be, because we only show SVGs in <img> tags which are protected from XSS even when served from the same domain. However, it's still wrong, so let's fix the bug.
1 files changed, 3 insertions(+), 3 deletions(-) M buildsrht/blueprints/jobs.py
M buildsrht/blueprints/jobs.py => buildsrht/blueprints/jobs.py +3 -3
@@ 154,11 154,11 @@ def svg_page(jobs): JobStatus.timeout])) .first()) if not job: badge = badge_unknown.replace("__NAME__", name) badge = badge_unknown.replace("__NAME__", escape(name)) elif job.status == JobStatus.success: badge = badge_success.replace("__NAME__", name) badge = badge_success.replace("__NAME__", escape(name)) else: badge = badge_failure.replace("__NAME__", name) badge = badge_failure.replace("__NAME__", escape(name)) return badge @jobs.route("/")