From 612950237a7f777b9e689e84f30e4d5f101b909b Mon Sep 17 00:00:00 2001
From: Michael Scherer <misc@redhat.com>
Date: Jul 18 2018 13:21:28 +0000
Subject: Do not allow js/html in description


Fix CVE-2018-1002155

Signed-off-by: Michael Scherer <misc@redhat.com>

---

diff --git a/pagure/templates/repo_info.html b/pagure/templates/repo_info.html
index 5633ee6..e2db52e 100644
--- a/pagure/templates/repo_info.html
+++ b/pagure/templates/repo_info.html
@@ -81,7 +81,7 @@
           </span>
             {% endif %}
           <div class="projectinfo my-3">
-              {% if repo.description %}{{ repo.description | safe }}{% else %}-{% endif -%}
+              {% if repo.description %}{{ repo.description | noJS | safe }}{% else %}-{% endif -%}
               {%- if repo.url %} &nbsp;| &nbsp;<a class="inline" href="{{ repo.url }}">{{ repo.url }}</a>{% endif %}
             </div>
             <div class="btn-group">