From 6076c95dd1c1589eaf98f85b008c938adccf9451 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Sun, 19 Feb 2017 19:09:59 +0800 Subject: [PATCH] Security: fix XSS attack on milestone (#976) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported by Miguel Ángel Jimeno. --- templates/repo/issue/list.tmpl | 8 ++++---- templates/repo/issue/milestones.tmpl | 2 +- templates/repo/issue/view_content.tmpl | 8 ++++---- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/templates/repo/issue/list.tmpl b/templates/repo/issue/list.tmpl index bb7327ebf..1b060cb23 100644 --- a/templates/repo/issue/list.tmpl +++ b/templates/repo/issue/list.tmpl @@ -34,7 +34,7 @@ @@ -48,7 +48,7 @@ @@ -106,7 +106,7 @@ {{.Title}} {{range .Labels}} - {{.Name}} + {{.Name | Sanitize}} {{end}} {{if .NumComments}} @@ -117,7 +117,7 @@ {{$.i18n.Tr "repo.issues.opened_by" $timeStr .Poster.HomeLink .Poster.Name | Safe}} {{if .Milestone}} - {{.Milestone.Name}} + {{.Milestone.Name | Sanitize}} {{end}} {{if .Assignee}} diff --git a/templates/repo/issue/milestones.tmpl b/templates/repo/issue/milestones.tmpl index 3703301e1..1cce9169d 100644 --- a/templates/repo/issue/milestones.tmpl +++ b/templates/repo/issue/milestones.tmpl @@ -43,7 +43,7 @@
{{range .Milestones}}
  • - {{.Name}} + {{.Name | Sanitize}}
    diff --git a/templates/repo/issue/view_content.tmpl b/templates/repo/issue/view_content.tmpl index 381c80cda..42e9f01c0 100644 --- a/templates/repo/issue/view_content.tmpl +++ b/templates/repo/issue/view_content.tmpl @@ -322,7 +322,7 @@ {{.i18n.Tr "repo.issues.new.no_label"}} {{range .Labels}} {{end}} @@ -344,7 +344,7 @@ {{.i18n.Tr "repo.issues.new.open_milestone"}}
    {{range .OpenMilestones}} -
    {{.Name}}
    +
    {{.Name | Sanitize}}
    {{end}} {{end}} {{if .ClosedMilestones}} @@ -354,7 +354,7 @@ {{.i18n.Tr "repo.issues.new.closed_milestone"}}
    {{range .ClosedMilestones}} - {{.Name}} + {{.Name | Sanitize}} {{end}} {{end}}
  • @@ -363,7 +363,7 @@ {{.i18n.Tr "repo.issues.new.no_milestone"}}
    {{if .Issue.Milestone}} - {{.Issue.Milestone.Name}} + {{.Issue.Milestone.Name | Sanitize}} {{end}}