1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-11-24 08:57:03 -05:00

fix(oauth): HTML snippets in templates can be displayed

These changes were missed when cherry-picking the following

c9d0e63c202827756c637d9ca7bbde685c1984b7 Remove unnecessary "Str2html" modifier from templates (#29319)

Fixes: https://codeberg.org/forgejo/forgejo/issues/3623
This commit is contained in:
Earl Warren 2024-06-05 15:42:50 +02:00
parent d4eeb06a20
commit caadd1815a
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00

View file

@ -10,6 +10,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"html" "html"
"html/template"
"io" "io"
"net/http" "net/http"
"net/url" "net/url"
@ -502,11 +503,11 @@ func AuthorizeOAuth(ctx *context.Context) {
ctx.Data["Scope"] = form.Scope ctx.Data["Scope"] = form.Scope
ctx.Data["Nonce"] = form.Nonce ctx.Data["Nonce"] = form.Nonce
if user != nil { if user != nil {
ctx.Data["ApplicationCreatorLinkHTML"] = fmt.Sprintf(`<a href="%s">@%s</a>`, html.EscapeString(user.HomeLink()), html.EscapeString(user.Name)) ctx.Data["ApplicationCreatorLinkHTML"] = template.HTML(fmt.Sprintf(`<a href="%s">@%s</a>`, html.EscapeString(user.HomeLink()), html.EscapeString(user.Name)))
} else { } else {
ctx.Data["ApplicationCreatorLinkHTML"] = fmt.Sprintf(`<a href="%s">%s</a>`, html.EscapeString(setting.AppSubURL+"/"), html.EscapeString(setting.AppName)) ctx.Data["ApplicationCreatorLinkHTML"] = template.HTML(fmt.Sprintf(`<a href="%s">%s</a>`, html.EscapeString(setting.AppSubURL+"/"), html.EscapeString(setting.AppName)))
} }
ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + html.EscapeString(form.RedirectURI) + "</strong>" ctx.Data["ApplicationRedirectDomainHTML"] = template.HTML("<strong>" + html.EscapeString(form.RedirectURI) + "</strong>")
// TODO document SESSION <=> FORM // TODO document SESSION <=> FORM
err = ctx.Session.Set("client_id", app.ClientID) err = ctx.Session.Set("client_id", app.ClientID)
if err != nil { if err != nil {