1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-11-27 09:11:53 -05:00
forgejo/templates
Gusted ef05332c3b
[SECURITY] Fix XSS in wiki last commit information
- On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. That whole string is not being sanitized (passed
trough `Safe` in the templates), because the last edited bit is
formatted as an HTML element and thus shouldn't be sanitized. The
problem with this is that now `.Author.Name` is not being sanitized.
- This can be exploited, the names of authors and commiters on a Git
commit is user controlled, they can be any value and thus also include
HTML. It's not easy to actually exploit this, as you cannot use the
official git binary to do use, as they actually strip `<` and `>` from
user names (trivia: this behaviour was introduced in the initial commit
of Git). In the integration testing, go-git actually has to generate
this commit as they don't have such restrictions.
- Pass `.Author.Name` trough `Escape` in order to be sanitized.

(cherry picked from commit d24c37e132)

Conflicts:
	templates/repo/wiki/revision.tmpl
	templates/repo/wiki/view.tmpl
	trivial context conflict
2024-02-22 22:36:14 +01:00
..
admin [BRANDING] define the forgejo webhook type 2023-08-21 07:22:16 +02:00
api/packages/pypi Remove incorrect HTML self close tag (#23748) 2023-03-27 18:05:51 +02:00
base [BRANDING] link to forgejo.org/docs instead of docs.gitea.io 2023-07-17 00:25:56 +02:00
code Use data-tooltip-content for tippy tooltip (#23649) 2023-03-24 18:35:38 +08:00
custom Add footer extra links template (#9576) 2020-01-03 20:41:56 +02:00
devtest Make "cancel" buttons have proper type in modal forms (#25618) (#25641) 2023-07-03 17:09:38 +08:00
explore Fix incorrect sort link with .profile repository (#26374) (#26379) 2023-08-21 07:22:18 +02:00
mail Remove incorrect HTML self close tag (#23748) 2023-03-27 18:05:51 +02:00
org Fix incorrect "tabindex" attributes (#26733) (#26734) 2023-09-08 08:07:19 +02:00
package RPM Registry: Show zypper commands for SUSE based distros as well (#25981) (#26020) 2023-07-24 07:59:10 +02:00
projects Fix incorrect "tabindex" attributes (#26733) (#26734) 2023-09-08 08:07:19 +02:00
repo [SECURITY] Fix XSS in wiki last commit information 2024-02-22 22:36:14 +01:00
shared [BRANDING] gitea logo for gitea webhooks 2023-09-01 11:56:05 +02:00
status Show OAuth2 errors to end users (#25261) (#25271) 2023-06-15 02:48:36 +00:00
swagger [BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP 2023-11-14 13:17:12 +01:00
user Fix incorrect "tabindex" attributes (#26733) (#26734) 2023-09-08 08:07:19 +02:00
home.tmpl Improve home page template, fix Sort dropdown menu flash (#23856) 2023-04-01 13:47:54 +08:00
install.tmpl Remove duplicated button in Install web page (#27941) 2023-11-14 13:17:12 +01:00
post-install.tmpl [BRANDING] Custom loading animation for Forgejo 2023-07-17 00:25:55 +02:00