mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-23 08:47:42 -05:00
[SECURITY] Fix XSS in dismissed review
- It's possible for reviews to not be assiocated with users, when they were migrated from another forge instance. In the migration code, there's no sanitization check for author names, so they could contain HTML tags and thus needs to be properely escaped. - Pass `$reviewerName` trough `Escape`.
This commit is contained in:
parent
92dae3a387
commit
fe2df46d05
1 changed files with 1 additions and 1 deletions
|
@ -615,7 +615,7 @@
|
||||||
{{else}}
|
{{else}}
|
||||||
{{$reviewerName = .Review.OriginalAuthor}}
|
{{$reviewerName = .Review.OriginalAuthor}}
|
||||||
{{end}}
|
{{end}}
|
||||||
{{ctx.Locale.Tr "repo.issues.review.dismissed" $reviewerName $createdStr | Safe}}
|
<span class="dismissed-message">{{ctx.Locale.Tr "repo.issues.review.dismissed" ($reviewerName | Escape) $createdStr | Safe}}</span>
|
||||||
</span>
|
</span>
|
||||||
</div>
|
</div>
|
||||||
{{if .Content}}
|
{{if .Content}}
|
||||||
|
|
Loading…
Reference in a new issue