Nulo/forgejo
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

[SECURITY] Fix XSS in dismissed review

Browse source 
- It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.
- Pass `$reviewerName` trough `Escape`.
This commit is contained in:
Gusted 2024-01-18 00:18:39 +01:00 committed by Earl Warren
parent 92dae3a387
commit fe2df46d05
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
templates/repo/issue/view_content/comments.tmpl
View file

@ -615,7 +615,7 @@
{{else}}
{{$reviewerName = .Review.OriginalAuthor}}
{{end}}
{{ctx.Locale.Tr "repo.issues.review.dismissed" $reviewerName $createdStr | Safe}}
<span class="dismissed-message">{{ctx.Locale.Tr "repo.issues.review.dismissed" ($reviewerName | Escape) $createdStr | Safe}}</span>
</span>
</div>
{{if .Content}}