escape strings

HesterG · HesterG · commit 3f8e4473eccd · 2023-03-14T18:15:04.000+08:00
diff --git a/models/user/user.go b/models/user/user.go
@@ -8,6 +8,7 @@ import (
 	"context"
 	"encoding/hex"
 	"fmt"
+	"html"
 	"html/template"
 	"net/url"
 	"os"
@@ -425,10 +426,10 @@ func (u *User) GetSearchNameHTML() template.HTML {
 	if setting.UI.DefaultShowFullName {
 		trimmed := strings.TrimSpace(u.FullName)
 		if len(trimmed) > 0 {
-			return template.HTML(fmt.Sprintf(`%s<span class="text search-fullname"> %s</span>`, u.Name, trimmed))
+			return template.HTML(fmt.Sprintf(`%s<span class="text search-fullname"> %s</span>`, html.EscapeString(u.Name), html.EscapeString(trimmed)))
 		}
 	}
-	return template.HTML(u.Name)
+	return template.HTML(html.EscapeString(u.Name))
 }
 
 func gitSafeName(name string) string {

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import (`
`8`	`8`	`"context"`
`9`	`9`	`"encoding/hex"`
`10`	`10`	`"fmt"`
	`11`	`+ "html"`
`11`	`12`	`"html/template"`
`12`	`13`	`"net/url"`
`13`	`14`	`"os"`
`@@ -425,10 +426,10 @@ func (u *User) GetSearchNameHTML() template.HTML {`
`425`	`426`	`if setting.UI.DefaultShowFullName {`
`426`	`427`	`trimmed := strings.TrimSpace(u.FullName)`
`427`	`428`	`if len(trimmed) > 0 {`
`428`		- return template.HTML(fmt.Sprintf(`%s<span class="text search-fullname"> %s</span>`, u.Name, trimmed))
	`429`	+ return template.HTML(fmt.Sprintf(`%s<span class="text search-fullname"> %s</span>`, html.EscapeString(u.Name), html.EscapeString(trimmed)))
`429`	`430`	`}`
`430`	`431`	`}`
`431`		`- return template.HTML(u.Name)`
	`432`	`+ return template.HTML(html.EscapeString(u.Name))`
`432`	`433`	`}`
`433`	`434`
`434`	`435`	`func gitSafeName(name string) string {`