escape branch names in compare url (#14364)

diff --git a/routers/repo/editor.go b/routers/repo/editor.go
index 7538c4cdaac2e69387eb2cb71820a1ce82269fcf..afb6605dc33c9c064f9c3341061151a0f4e2e805 100644 (file)
--- a/routers/repo/editor.go
+++ b/routers/repo/editor.go
@@ -287,7 +287,7 @@ func editFilePost(ctx *context.Context, form auth.EditRepoFileForm, isNewFile bo
                } else if models.IsErrCommitIDDoesNotMatch(err) {
                        ctx.RenderWithErr(ctx.Tr("repo.editor.file_changed_while_editing", ctx.Repo.RepoLink+"/compare/"+form.LastCommit+"..."+ctx.Repo.CommitID), tplEditFile, &form)
                } else if git.IsErrPushOutOfDate(err) {
-                       ctx.RenderWithErr(ctx.Tr("repo.editor.file_changed_while_editing", ctx.Repo.RepoLink+"/compare/"+form.LastCommit+"..."+form.NewBranchName), tplEditFile, &form)
+                       ctx.RenderWithErr(ctx.Tr("repo.editor.file_changed_while_editing", ctx.Repo.RepoLink+"/compare/"+form.LastCommit+"..."+util.PathEscapeSegments(form.NewBranchName)), tplEditFile, &form)
                } else if git.IsErrPushRejected(err) {
                        errPushRej := err.(*git.ErrPushRejected)
                        if len(errPushRej.Message) == 0 {
@@ -319,7 +319,7 @@ func editFilePost(ctx *context.Context, form auth.EditRepoFileForm, isNewFile bo
        }
 
        if form.CommitChoice == frmCommitChoiceNewBranch && ctx.Repo.Repository.UnitEnabled(models.UnitTypePullRequests) {
-               ctx.Redirect(ctx.Repo.RepoLink + "/compare/" + ctx.Repo.BranchName + "..." + form.NewBranchName)
+               ctx.Redirect(ctx.Repo.RepoLink + "/compare/" + util.PathEscapeSegments(ctx.Repo.BranchName) + "..." + util.PathEscapeSegments(form.NewBranchName))
        } else {
                ctx.Redirect(ctx.Repo.RepoLink + "/src/branch/" + util.PathEscapeSegments(branchName) + "/" + util.PathEscapeSegments(form.TreePath))
        }
@@ -500,7 +500,7 @@ func DeleteFilePost(ctx *context.Context, form auth.DeleteRepoFileForm) {
 
        ctx.Flash.Success(ctx.Tr("repo.editor.file_delete_success", ctx.Repo.TreePath))
        if form.CommitChoice == frmCommitChoiceNewBranch && ctx.Repo.Repository.UnitEnabled(models.UnitTypePullRequests) {
-               ctx.Redirect(ctx.Repo.RepoLink + "/compare/" + ctx.Repo.BranchName + "..." + form.NewBranchName)
+               ctx.Redirect(ctx.Repo.RepoLink + "/compare/" + util.PathEscapeSegments(ctx.Repo.BranchName) + "..." + util.PathEscapeSegments(form.NewBranchName))
        } else {
                treePath := filepath.Dir(ctx.Repo.TreePath)
                if treePath == "." {
@@ -677,7 +677,7 @@ func UploadFilePost(ctx *context.Context, form auth.UploadRepoFileForm) {
                        branchErr := err.(models.ErrBranchAlreadyExists)
                        ctx.RenderWithErr(ctx.Tr("repo.editor.branch_already_exists", branchErr.BranchName), tplUploadFile, &form)
                } else if git.IsErrPushOutOfDate(err) {
-                       ctx.RenderWithErr(ctx.Tr("repo.editor.file_changed_while_editing", ctx.Repo.RepoLink+"/compare/"+ctx.Repo.CommitID+"..."+form.NewBranchName), tplUploadFile, &form)
+                       ctx.RenderWithErr(ctx.Tr("repo.editor.file_changed_while_editing", ctx.Repo.RepoLink+"/compare/"+ctx.Repo.CommitID+"..."+util.PathEscapeSegments(form.NewBranchName)), tplUploadFile, &form)
                } else if git.IsErrPushRejected(err) {
                        errPushRej := err.(*git.ErrPushRejected)
                        if len(errPushRej.Message) == 0 {
@@ -703,7 +703,7 @@ func UploadFilePost(ctx *context.Context, form auth.UploadRepoFileForm) {
        }
 
        if form.CommitChoice == frmCommitChoiceNewBranch && ctx.Repo.Repository.UnitEnabled(models.UnitTypePullRequests) {
-               ctx.Redirect(ctx.Repo.RepoLink + "/compare/" + ctx.Repo.BranchName + "..." + form.NewBranchName)
+               ctx.Redirect(ctx.Repo.RepoLink + "/compare/" + util.PathEscapeSegments(ctx.Repo.BranchName) + "..." + util.PathEscapeSegments(form.NewBranchName))
        } else {
                ctx.Redirect(ctx.Repo.RepoLink + "/src/branch/" + util.PathEscapeSegments(branchName) + "/" + util.PathEscapeSegments(form.TreePath))
        }