From 0764b1f48c59d3f07bdf7610c6be290cc3fa3204 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Janne=20He=C3=9F?= Date: Sat, 2 Aug 2025 15:26:34 +0200 Subject: [PATCH] product-list: Escape untrusted values --- src/root/product-list.tt | 56 ++++++++++++++++++++-------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/src/root/product-list.tt b/src/root/product-list.tt index 4d545b3e..97fe6141 100644 --- a/src/root/product-list.tt +++ b/src/root/product-list.tt @@ -1,17 +1,17 @@ [% BLOCK renderProductLinks %] URL: - [% uri %] + uri) %]>[% uri | html %] [% IF latestRoot %] Links to latest: [% uri2 = "${c.uri_for(latestRoot.join('/') 'download-by-type' product.type product.subtype)}" %] - [% uri2 %] + uri2) %]>[% uri2 | html %]
[% uri2 = "${c.uri_for(latestRoot.join('/') 'download' product.productnr)}" %] - [% uri2 %] + uri2) %]>[% uri2 | html %] [% END %] @@ -49,7 +49,7 @@ Error - + contents) %]> Failed build produced output. Click here to inspect the output. @@ -58,9 +58,9 @@

If you have Nix installed on your machine, this failed build output and all its dependencies can be unpacked into your local Nix store by doing:

-
$ curl [% uri %] | gunzip | nix-store --import
+
$ curl [% HTML.escape(uri) %] | gunzip | nix-store --import
-

The build output can then be found in the path [% product.path %].

+

The build output can then be found in the path [% product.path | html %].

[% END %] @@ -74,7 +74,7 @@ Nix package - [% HTML.escape(build.nixname) %] + [% build.nixname | html %] [% WRAPPER makePopover title="Help" classes="btn-secondary btn-sm" @@ -84,7 +84,7 @@
$ nix-env -i [%HTML.escape(product.path)%][% IF binaryCachePublicUri %] --option binary-caches [% HTML.escape(binaryCachePublicUri) %][% END %]
[% END %] [% IF localStore %] - Contents + contents) %]>Contents [% END %] @@ -100,8 +100,8 @@ [% filename = build.nixname _ (product.subtype ? "-" _ product.subtype : "") _ ".closure.gz" %] [% uri = c.uri_for('/build' build.id 'nix' 'closure' filename ) %] - - [% product.path %] + uri) %]> + [% product.path | html %] @@ -110,16 +110,16 @@ all its dependencies can be unpacked into your local Nix store by doing:

-
$ gunzip < [% filename %] | nix-store --import
+
$ gunzip < [% HTML.escape(filename) %] | nix-store --import

or to download and unpack in one command:

-
$ curl [% uri %] | gunzip | nix-store --import
+
$ curl [% HTML.escape(uri) %] | gunzip | nix-store --import

The package can then be found in the path [% - product.path %]. You’ll probably also want to do

+ product.path | html %]. You’ll probably also want to do

-
$ nix-env -i [% product.path %]
+
$ nix-env -i [% HTML.escape(product.path) %]

to actually install the package in your Nix user environment.

@@ -174,16 +174,16 @@ Channel expression tarball - [% IF product.subtype != "-" %]for [% product.subtype %][% END %] + [% IF product.subtype != "-" %]for [% product.subtype | html %][% END %] [% ELSE %] File - [% product.subtype %] + [% HTML.escape(product.subtype) %] [% END %] [% END %] - - [% product.name %] + uri) %]> + [% product.name | html %] @@ -191,12 +191,12 @@ [% INCLUDE renderProductLinks %] - - + +
File size:[% product.filesize %] bytes ([% mibs(product.filesize / (1024 * 1024)) %] MiB)
SHA-256 hash:[% product.sha256hash %]
Full path:[% product.path %]
SHA-256 hash:[% product.sha256hash | html %]
Full path:[% product.path | html %]
[% END %] [% IF localStore %] - Contents + contents) %]>Contents [% END %] @@ -211,15 +211,15 @@ [% CASE "coverage" %] Code coverage - + uri) %]> Analysis report [% CASE DEFAULT %] Report - - [% product.subtype %] + uri) %]> + [% product.subtype | html %] [% END %] @@ -240,7 +240,7 @@ Documentation - + uri) %]> [% SWITCH product.subtype %] [% CASE "readme" %] Read Me! @@ -249,7 +249,7 @@ [% CASE "release-notes" %] Release notes [% CASE DEFAULT %] - [% product.subtype %] + [% HTML.escape(product.subtype) %] [% END %] @@ -266,12 +266,12 @@ - [% product.type %] + [% product.type | html %] - [% product %] + [% HTML.escape(product) %]