Description: CVE-2016-1236: XSS via directory or file in a repository containing XSS payload
Origin: vendor
Forwarded: no
Author: Nitin Venkatesh <venkatesh.nitin@gmail.com>
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2016-05-08

--- a/revision.php
+++ b/revision.php
@@ -145,7 +145,7 @@ if ($rep) {
 		}
 		$resourceExisted = $change->action == 'M' || $change->copyfrom;
 		$listing[] = array(
-			'path' => $change->path,
+			'path' => escape($change->path),
 			'oldpath' => $change->copyfrom ? $change->copyfrom.' @ '.$change->copyrev : '',
 			'action' => $change->action,
 			'added' => $change->action == 'A',
--- a/log.php
+++ b/log.php
@@ -323,6 +323,9 @@ if ($rep) {
 					$listing[$index]['revadded'] = (isset($modpaths['A'])) ? implode('<br/>', $modpaths['A']) : '';
 					$listing[$index]['revdeleted'] = (isset($modpaths['D'])) ? implode('<br/>', $modpaths['D']) : '';
 					$listing[$index]['revmodified'] = (isset($modpaths['M'])) ? implode('<br/>', $modpaths['M']) : '';
+					$listing[$index]['revadded'] = escape($listing[$index]['revadded']);
+					$listing[$index]['revdeleted'] = escape($listing[$index]['revdeleted']);
+					$listing[$index]['revmodified'] = escape($listing[$index]['revmodified']);
 				}
 
 				$row = 1 - $row;
--- a/comp.php
+++ b/comp.php
@@ -381,7 +381,7 @@ if ($rep) {
 						$absnode .= $node;
 					}
 
-					$listing[$index]['newpath'] = $absnode;
+					$listing[$index]['newpath'] = escape($absnode);
 
 					$listing[$index]['fileurl'] = $config->getURL($rep, $absnode, 'file').'rev='.$rev2;
 
--- a/listing.php
+++ b/listing.php
@@ -123,7 +123,7 @@ function showDirFiles($svnrep, $subs, $l
 				$listing[$index]['level'] = ($treeview) ? $level : 0;
 				$listing[$index]['node'] = 0; // t-node
 				$listing[$index]['path'] = $path.$file;
-				$listing[$index]['filename'] = $file;
+				$listing[$index]['filename'] = escape($file);
 				if ($isDir) {
 					$listing[$index]['fileurl'] = urlForPath($path.$file, $passRevString);
 				} else {
@@ -137,7 +137,7 @@ function showDirFiles($svnrep, $subs, $l
 				}
 
 				if ($treeview) {
-					$listing[$index]['compare_box'] = '<input type="checkbox" name="compare[]" value="'.$path.$file.'@'.$passrev.'" onclick="checkCB(this)" />';
+					$listing[$index]['compare_box'] = '<input type="checkbox" name="compare[]" value="'.escape($path.$file).'@'.$passrev.'" onclick="checkCB(this)" />';
 				}
 				if ($config->showLastModInListing()) {
 					$listing[$index]['committime'] = $entry->committime;