Prevent incorrect HTML escaping in swagger.json (#14957)

* Prevent incorrect HTML escaping in swagger.json

Fix #14706

Signed-off-by: Andrew Thornton <art27@cantab.net>

* oops add it to the helper

Signed-off-by: Andrew Thornton <art27@cantab.net>

* try again

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
This commit is contained in:
zeripath 2021-03-12 04:43:04 +00:00 committed by GitHub
parent df76d9f7ad
commit 91ee3be588
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 11 additions and 5 deletions

View file

@ -127,8 +127,8 @@ GO_SOURCES_OWN := $(filter-out vendor/% %/bindata.go, $(GO_SOURCES))
#To update swagger use: GO111MODULE=on go get -u github.com/go-swagger/go-swagger/cmd/swagger #To update swagger use: GO111MODULE=on go get -u github.com/go-swagger/go-swagger/cmd/swagger
SWAGGER := $(GO) run -mod=vendor github.com/go-swagger/go-swagger/cmd/swagger SWAGGER := $(GO) run -mod=vendor github.com/go-swagger/go-swagger/cmd/swagger
SWAGGER_SPEC := templates/swagger/v1_json.tmpl SWAGGER_SPEC := templates/swagger/v1_json.tmpl
SWAGGER_SPEC_S_TMPL := s|"basePath": *"/api/v1"|"basePath": "{{AppSubUrl}}/api/v1"|g SWAGGER_SPEC_S_TMPL := s|"basePath": *"/api/v1"|"basePath": "{{AppSubUrl \| JSEscape \| Safe}}/api/v1"|g
SWAGGER_SPEC_S_JSON := s|"basePath": *"{{AppSubUrl}}/api/v1"|"basePath": "/api/v1"|g SWAGGER_SPEC_S_JSON := s|"basePath": *"{{AppSubUrl \| JSEscape \| Safe}}/api/v1"|"basePath": "/api/v1"|g
SWAGGER_EXCLUDE := code.gitea.io/sdk SWAGGER_EXCLUDE := code.gitea.io/sdk
SWAGGER_NEWLINE_COMMAND := -e '$$a\' SWAGGER_NEWLINE_COMMAND := -e '$$a\'

View file

@ -92,6 +92,7 @@ func NewFuncMap() []template.FuncMap {
}, },
"Safe": Safe, "Safe": Safe,
"SafeJS": SafeJS, "SafeJS": SafeJS,
"JSEscape": JSEscape,
"Str2html": Str2html, "Str2html": Str2html,
"TimeSince": timeutil.TimeSince, "TimeSince": timeutil.TimeSince,
"TimeSinceUnix": timeutil.TimeSinceUnix, "TimeSinceUnix": timeutil.TimeSinceUnix,
@ -629,6 +630,11 @@ func Escape(raw string) string {
return html.EscapeString(raw) return html.EscapeString(raw)
} }
// JSEscape escapes a JS string
func JSEscape(raw string) string {
return template.JSEscapeString(raw)
}
// List traversings the list // List traversings the list
func List(l *list.List) chan interface{} { func List(l *list.List) chan interface{} {
e := l.Front() e := l.Front()

View file

@ -9,7 +9,7 @@
// //
// Schemes: http, https // Schemes: http, https
// BasePath: /api/v1 // BasePath: /api/v1
// Version: {{AppVer}} // Version: {{AppVer | JSEscape | Safe}}
// License: MIT http://opensource.org/licenses/MIT // License: MIT http://opensource.org/licenses/MIT
// //
// Consumes: // Consumes:

View file

@ -19,9 +19,9 @@
"name": "MIT", "name": "MIT",
"url": "http://opensource.org/licenses/MIT" "url": "http://opensource.org/licenses/MIT"
}, },
"version": "{{AppVer}}" "version": "{{AppVer | JSEscape | Safe}}"
}, },
"basePath": "{{AppSubUrl}}/api/v1", "basePath": "{{AppSubUrl | JSEscape | Safe}}/api/v1",
"paths": { "paths": {
"/admin/cron": { "/admin/cron": {
"get": { "get": {