Rcstack - descriptions no longer showing the XML token characters

Support
1

Hi,

The new rcstack seems to xml escape the common XML tokens if found in the description (from the groups or the repositories):

Screenshot rcstack 2024-07-15 151217
Screenshot rcstack 2024-07-15 1512171200×101 2.87 KB

But the description edition shows the original value:

Screenshot rcstack group edit 2024-07-15 153324
Screenshot rcstack group edit 2024-07-15 153324924×514 11 KB

The previous rccontrol displayed such descriptions correctly:

Screenshot rccontrol 2024-07-15 145645
Screenshot rccontrol 2024-07-15 145645864×50 1.52 KB

The tested description is XML Tokens ; & > <.
You can find an example here: Group-With-XML-tokens.

Note that this doesn’t affect the commit messages.

I suspect that the most common case is to have a ' or a & in a group or repository description, for any user, if you see a &#39; or &amp; this is due to the xml escaping.

2

Hi,

we’ve removed using of those due to potential XSS issues.
from the history here: https://code.rhodecode.com/rhodecode-enterprise-ce/annotate/115837d2b7255338ab81c2aff6f2195e1de665dd/rhodecode/model/db.py#L2701

it looks like it was introduced in 2017

3

Ok, good to know. Thanks.

For anyone interested, the related changes are a little further: https://code.rhodecode.com/rhodecode-enterprise-ce/annotate/115837d2b7255338ab81c2aff6f2195e1de665dd/rhodecode/model/db.py#L2770

And the commit was: rhodecode-enterprise-ce Commit - r1830:d786fdd7 · RhodeCode Free Hosting

1 Like