diff --git a/routers/user/oauth.go b/routers/user/oauth.go index a9e089b39..12665e94d 100644 --- a/routers/user/oauth.go +++ b/routers/user/oauth.go @@ -7,6 +7,7 @@ package user import ( "encoding/base64" "fmt" + "html" "net/url" "strings" @@ -271,8 +272,8 @@ func AuthorizeOAuth(ctx *context.Context, form auth.AuthorizationForm) { ctx.Data["Application"] = app ctx.Data["RedirectURI"] = form.RedirectURI ctx.Data["State"] = form.State - ctx.Data["ApplicationUserLink"] = "@" + app.User.Name + "" - ctx.Data["ApplicationRedirectDomainHTML"] = "" + form.RedirectURI + "" + ctx.Data["ApplicationUserLink"] = "@" + html.EscapeString(app.User.Name) + "" + ctx.Data["ApplicationRedirectDomainHTML"] = "" + html.EscapeString(form.RedirectURI) + "" // TODO document SESSION <=> FORM err = ctx.Session.Set("client_id", app.ClientID) if err != nil { diff --git a/templates/repo/issue/view_content/comments.tmpl b/templates/repo/issue/view_content/comments.tmpl index 21d1f215c..e52b4979f 100644 --- a/templates/repo/issue/view_content/comments.tmpl +++ b/templates/repo/issue/view_content/comments.tmpl @@ -106,7 +106,7 @@ {{.Poster.GetDisplayName}} {{$link := printf "%s/commit/%s" $.Repository.HTMLURL $.Issue.PullRequest.MergedCommitID}} - {{$.i18n.Tr "repo.issues.pull_merged_at" $link (ShortSha $.Issue.PullRequest.MergedCommitID) $.BaseTarget $createdStr | Str2html}} + {{$.i18n.Tr "repo.issues.pull_merged_at" $link (ShortSha $.Issue.PullRequest.MergedCommitID) ($.BaseTarget|Escape) $createdStr | Str2html}} {{else if eq .Type 3 5 6}} diff --git a/templates/repo/issue/view_content/pull.tmpl b/templates/repo/issue/view_content/pull.tmpl index a5d753ac0..5ef78f10a 100644 --- a/templates/repo/issue/view_content/pull.tmpl +++ b/templates/repo/issue/view_content/pull.tmpl @@ -121,7 +121,7 @@ {{else if .IsPullWorkInProgress}}