Overview

File 0101-Ensure-the-blame-view-does-not-render-html.patch of Package pagure.14383

From 31a0d2950ed409550074ca52ba492f9b87ec3318 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Tue, 4 Jun 2019 10:06:34 +0200
Subject: [PATCH] Ensure the blame view does not render html

Fixes https://pagure.io/pagure/issue/4432
Fixes https://pagure.io/pagure/issue/4442

Fixes CVE-2019-11556

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
---
 pagure/templates/blame.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pagure/templates/blame.html b/pagure/templates/blame.html
index 476b4029..db1af7c9 100644
--- a/pagure/templates/blame.html
+++ b/pagure/templates/blame.html
@@ -152,7 +152,7 @@
     </div>
 
     {% autoescape false %}
-    {{ content | blame_loc(repo, username, blame) }}
+    {{ content | blame_loc(repo, username, blame) | noJS | safe }}
     {% endautoescape %}
   </div>
 {% else %}
-- 
2.26.2
openSUSE Build Service is sponsored by
Places