Fix escaping issue in diff (#14153)

Ensure that linecontent is escaped before passing to template.HTML

Signed-off-by: Andrew Thornton <art27@cantab.net>

diff --git a/services/gitdiff/gitdiff.go b/services/gitdiff/gitdiff.go
index 79cd16e193dfe56650f4aa5f5a91fff78186474c..81b92f71686ddd1bbca7ea861a219311bd106b19 100644 (file)
--- a/services/gitdiff/gitdiff.go
+++ b/services/gitdiff/gitdiff.go
@@ -10,6 +10,7 @@ import (
        "bytes"
        "context"
        "fmt"
+       "html"
        "html/template"
        "io"
        "io/ioutil"
@@ -164,9 +165,9 @@ func getDiffLineSectionInfo(treePath, line string, lastLeftIdx, lastRightIdx int
 // escape a line's content or return <br> needed for copy/paste purposes
 func getLineContent(content string) string {
        if len(content) > 0 {
-               return content
+               return html.EscapeString(content)
        }
-       return "\n"
+       return "<br>"
 }
 
 // DiffSection represents a section of a DiffFile.
@@ -357,8 +358,6 @@ func (diffSection *DiffSection) GetComputedInlineDiffFor(diffLine *DiffLine) tem
        diffRecord := diffMatchPatch.DiffMain(highlight.Code(diffSection.FileName, diff1[1:]), highlight.Code(diffSection.FileName, diff2[1:]), true)
        diffRecord = diffMatchPatch.DiffCleanupEfficiency(diffRecord)
 
-       diffRecord = diffMatchPatch.DiffCleanupEfficiency(diffRecord)
-
        return diffToHTML(diffSection.FileName, diffRecord, diffLine.Type)
 }