Escape html values

Fixes: https://pagure.io/koji/issue/3155
2021-12-09 07:06:54 +01:00 · 2021-12-09 07:06:54 +01:00 · c83d4598de
commit c83d4598de
parent 987946478e
42 changed files with 229 additions and 232 deletions
--- a/www/kojiweb/taskinfo.chtml
+++ b/www/kojiweb/taskinfo.chtml
@ -20,7 +20,7 @@
      <span class="treeBranch">
        <span class="treeLabel">
          <span class="task$childState">$util.imageTag($childState)</span>
-          <a href="taskinfo?taskID=$child.id" class="task$childState" title="$childState">$koji.taskLabel($child)</a>
+          <a href="taskinfo?taskID=$child.id" class="task$childState" title="$childState">$util.escapeHTML($koji.taskLabel($child))</a>
        </span>
      </span>
    $printChildren($child.id, $childMap)
@ -32,7 +32,7 @@

 #include "includes/header.chtml"

-  <h4>Information for task <a href="taskinfo?taskID=$task.id">$koji.taskLabel($task)</a></h4>
+  <h4>Information for task <a href="taskinfo?taskID=$task.id">$util.escapeHTML($koji.taskLabel($task))</a></h4>

  <table>
    <tr>
@ -67,13 +67,13 @@
    </tr>
    #if $taskBuild
    <tr>
-      <th>Build</th><td><a href="buildinfo?buildID=$taskBuild.build_id">$koji.buildLabel($taskBuild)</a></td>
+      <th>Build</th><td><a href="buildinfo?buildID=$taskBuild.build_id">$util.escapeHTML($koji.buildLabel($taskBuild))</a></td>
    </tr>
    #end if
    #if $taskBuilds
    #for $build in $taskBuilds
    <tr>
-      <th>Build</th><td><a href="buildinfo?buildID=$build.build_id">$koji.buildLabel($build)</a></td>
+      <th>Build</th><td><a href="buildinfo?buildID=$build.build_id">$util.escapeHTML($koji.buildLabel($build))</a></td>
    </tr>
    #end for
    #end if
@ -116,9 +116,9 @@
      <td>
        #if $owner
          #if $owner.usertype == $koji.USERTYPES['HOST']
-          <a href="hostinfo?userID=$owner.id">$owner.name</a>
+          <a href="hostinfo?userID=$owner.id">$util.escapeHTML($owner.name)</a>
          #else
-          <a href="userinfo?userID=$owner.id">$owner.name</a>
+          <a href="userinfo?userID=$owner.id">$util.escapeHTML($owner.name)</a>
          #end if
        #end if
      </td>
@ -127,7 +127,7 @@
      <th>Channel</th>
      <td>
        #if $task.channel_id
-        <a href="channelinfo?channelID=$task.channel_id">$channelName</a>
+        <a href="channelinfo?channelID=$task.channel_id">$util.escapeHTML($channelName)</a>
        #end if
      </td>
    </tr>
@ -135,12 +135,12 @@
      <th>Host</th>
      <td>
        #if $task.host_id
-        <a href="hostinfo?hostID=$task.host_id">$hostName</a>
+        <a href="hostinfo?hostID=$task.host_id">$util.escapeHTML($hostName)</a>
        #end if
      </td>
    </tr>
    <tr>
-      <th>Arch</th><td>$task.arch</td>
+      <th>Arch</th><td>$util.escapeHTML($task.arch)</td>
    </tr>
    #if $buildroots
    <tr>
@ -156,7 +156,7 @@
      <th>Parent</th>
        <td>
        #if $parent
-        <a href="taskinfo?taskID=$parent.id" class="task$util.taskState($parent.state)">$koji.taskLabel($parent)</a>
+        <a href="taskinfo?taskID=$parent.id" class="task$util.taskState($parent.state)">$util.escapeHTML($koji.taskLabel($parent))</a>
        #end if
      </td>
    </tr>