35 lines
1014 B
Diff
35 lines
1014 B
Diff
From f331f09bbd849c0aa568f704a09e81ff77fc50f8 Mon Sep 17 00:00:00 2001
|
|
From: Unknwon <u@gogs.io>
|
|
Date: Sat, 14 Oct 2017 23:53:20 -0400
|
|
Subject: [PATCH 3/4] SECURITY: HTML injection in user search API
|
|
|
|
Reported by Tim Hawes.
|
|
---
|
|
routes/api/v1/user/user.go | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/routes/api/v1/user/user.go b/routes/api/v1/user/user.go
|
|
index dbf727def..8326eea57 100644
|
|
--- a/routes/api/v1/user/user.go
|
|
+++ b/routes/api/v1/user/user.go
|
|
@@ -12,6 +12,7 @@ import (
|
|
"github.com/gogits/gogs/models"
|
|
"github.com/gogits/gogs/models/errors"
|
|
"github.com/gogits/gogs/pkg/context"
|
|
+ "github.com/gogits/gogs/pkg/markup"
|
|
)
|
|
|
|
func Search(c *context.APIContext) {
|
|
@@ -39,7 +40,7 @@ func Search(c *context.APIContext) {
|
|
ID: users[i].ID,
|
|
UserName: users[i].Name,
|
|
AvatarUrl: users[i].AvatarLink(),
|
|
- FullName: users[i].FullName,
|
|
+ FullName: markup.Sanitize(users[i].FullName),
|
|
}
|
|
if c.IsLogged {
|
|
results[i].Email = users[i].Email
|
|
--
|
|
2.15.0
|
|
|