Fix XSS vulnerabilities (#29336)

- The Wiki page did not sanitize author name - the reviewer name on a "dismiss review" comment is also affected - the migration page has some spots --------- Signed-off-by: jolheiser <john.olheiser@gmail.com> Co-authored-by: Gusted <postmaster@gusted.xyz> Co-authored-by: jolheiser <john.olheiser@gmail.com>
2024-02-22 23:37:21 +01:00
parent 6ca8cb590d
commit 4435d8a4b6
6 changed files with 93 additions and 8 deletions
--- a/templates/repo/wiki/revision.tmpl
+++ b/templates/repo/wiki/revision.tmpl
@@ -10,7 +10,7 @@
 					{{$title}}
 					<div class="ui sub header gt-word-break">
 						{{$timeSince := TimeSince .Author.When ctx.Locale}}
-						{{ctx.Locale.Tr "repo.wiki.last_commit_info" .Author.Name $timeSince | Safe}}
+						{{ctx.Locale.Tr "repo.wiki.last_commit_info" (.Author.Name | Escape) $timeSince | Safe}}
 					</div>
 				</div>
 			</div>
--- a/templates/repo/wiki/view.tmpl
+++ b/templates/repo/wiki/view.tmpl
@@ -40,7 +40,7 @@
 					{{$title}}
 					<div class="ui sub header">
 						{{$timeSince := TimeSince .Author.When ctx.Locale}}
-						{{ctx.Locale.Tr "repo.wiki.last_commit_info" .Author.Name $timeSince | Safe}}
+						{{ctx.Locale.Tr "repo.wiki.last_commit_info" (.Author.Name | Escape) $timeSince | Safe}}
 					</div>
 				</div>
 				<div class="eight wide right aligned column">