Martchus
/
PKGBUILDs
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
PKGBUILDs/gogs/default/0003-SECURITY-HTML-injectio...

35 lines
1014 B
Diff
Raw Blame History

From f331f09bbd849c0aa568f704a09e81ff77fc50f8 Mon Sep 17 00:00:00 2001
From: Unknwon <u@gogs.io>
Date: Sat, 14 Oct 2017 23:53:20 -0400
Subject: [PATCH 3/4] SECURITY: HTML injection in user search API
Reported by Tim Hawes.
---
routes/api/v1/user/user.go | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/routes/api/v1/user/user.go b/routes/api/v1/user/user.go
index dbf727def..8326eea57 100644
--- a/routes/api/v1/user/user.go
+++ b/routes/api/v1/user/user.go
@@ -12,6 +12,7 @@ import (
"github.com/gogits/gogs/models"
"github.com/gogits/gogs/models/errors"
"github.com/gogits/gogs/pkg/context"
+ "github.com/gogits/gogs/pkg/markup"
)
func Search(c *context.APIContext) {
@@ -39,7 +40,7 @@ func Search(c *context.APIContext) {
ID: users[i].ID,
UserName: users[i].Name,
AvatarUrl: users[i].AvatarLink(),
- FullName: users[i].FullName,
+ FullName: markup.Sanitize(users[i].FullName),
}
if c.IsLogged {
results[i].Email = users[i].Email
--
2.15.0
Reference in New Issue View Git Blame Copy Permalink