1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-26 13:29:12 -05:00
forgejo/templates
Gusted d24c37e132
[SECURITY] Fix XSS in wiki last commit information
- On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. That whole string is not being sanitized (passed
trough `Safe` in the templates), because the last edited bit is
formatted as an HTML element and thus shouldn't be sanitized. The
problem with this is that now `.Author.Name` is not being sanitized.
- This can be exploited, the names of authors and commiters on a Git
commit is user controlled, they can be any value and thus also include
HTML. It's not easy to actually exploit this, as you cannot use the
official git binary to do use, as they actually strip `<` and `>` from
user names (trivia: this behaviour was introduced in the initial commit
of Git). In the integration testing, go-git actually has to generate
this commit as they don't have such restrictions.
- Pass `.Author.Name` trough `Escape` in order to be sanitized.
2024-02-22 13:04:47 +01:00
..
admin Convert visibility to number (#29226) (#29244) 2024-02-20 09:36:28 +01:00
api/packages/pypi Remove incorrect HTML self close tag (#23748) 2023-03-27 18:05:51 +02:00
base [GITEA] Check for Commit in opengraph 2024-01-05 14:26:20 +01:00
code Fix 500 error of searching commits (#28576) (#28579) 2023-12-22 12:10:04 +01:00
custom Add footer extra links template (#9576) 2020-01-03 20:41:56 +02:00
devtest Improve dropdown button alignment and fix hover bug (#27632) (#27637) 2023-10-16 16:15:15 +08:00
explore Keep profile tab when clicking on Language (#28320) (#28331) 2023-12-08 13:41:16 +01:00
mail [GITEA] notifies admins on new user registration (squash) fix URL 2023-12-24 14:41:12 +00:00
org Fix button size in "attached header right" (#28770) (#28774) 2024-01-16 14:39:23 +00:00
package Do not display search box when there's no packages yet (#28146) (#28159) 2023-11-22 17:12:12 +01:00
projects Use full width for project boards (#28225) (#28245) 2023-12-08 13:40:59 +01:00
repo [SECURITY] Fix XSS in wiki last commit information 2024-02-22 13:04:47 +01:00
shared Fix wrong due date rendering in issue list page (#28588) (#28591) 2024-01-16 14:07:46 +00:00
status Clean up template locale usage (#27856) (#27857) 2023-10-31 17:35:55 +01:00
swagger Forbid removing the last admin user (#28337) (#28793) 2024-01-16 14:41:11 +00:00
user Rework markup link rendering (#26745) (#28803) 2024-01-16 14:41:11 +00:00
webhook [BRANDING] add the forgejo webhook type & update webhook docs URLs 2023-11-13 13:58:18 +01:00
home.tmpl Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
install.tmpl Merge branch 'rebase-v1.21/forgejo-branding' into wip-v1.21-forgejo 2023-11-13 16:47:18 +01:00
post-install.tmpl [BRANDING] Custom loading animation for Forgejo 2023-11-13 13:58:17 +01:00