Prevent incorrect HTML escaping in swagger.json (#14957)

* Prevent incorrect HTML escaping in swagger.json

Fix #14706

Signed-off-by: Andrew Thornton <art27@cantab.net>
* oops add it to the helper

Signed-off-by: Andrew Thornton <art27@cantab.net>
* try again

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>

diff --git a/Makefile b/Makefile
index 889ec2d3ffd33d0f2ed41beb247f20c0dc3c5a02..00bdbab2591bdcf46d60b667c32fa6d9e6aefee3 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -127,8 +127,8 @@ GO_SOURCES_OWN := $(filter-out vendor/% %/bindata.go, $(GO_SOURCES))
 #To update swagger use: GO111MODULE=on go get -u github.com/go-swagger/go-swagger/cmd/swagger
 SWAGGER := $(GO) run -mod=vendor github.com/go-swagger/go-swagger/cmd/swagger
 SWAGGER_SPEC := templates/swagger/v1_json.tmpl
-SWAGGER_SPEC_S_TMPL := s|"basePath": *"/api/v1"|"basePath": "{{AppSubUrl}}/api/v1"|g
-SWAGGER_SPEC_S_JSON := s|"basePath": *"{{AppSubUrl}}/api/v1"|"basePath": "/api/v1"|g
+SWAGGER_SPEC_S_TMPL := s|"basePath": *"/api/v1"|"basePath": "{{AppSubUrl \| JSEscape \| Safe}}/api/v1"|g
+SWAGGER_SPEC_S_JSON := s|"basePath": *"{{AppSubUrl \| JSEscape \| Safe}}/api/v1"|"basePath": "/api/v1"|g
 SWAGGER_EXCLUDE := code.gitea.io/sdk
 SWAGGER_NEWLINE_COMMAND := -e '$$a\'
 

diff --git a/modules/templates/helper.go b/modules/templates/helper.go
index ab66cc72826933607ca9709718489a68b96a8ef9..7e33f262094eeddaf93feb6d1734931ecc636592 100644 (file)
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@@ -92,6 +92,7 @@ func NewFuncMap() []template.FuncMap {
                },
                "Safe":          Safe,
                "SafeJS":        SafeJS,
+               "JSEscape":      JSEscape,
                "Str2html":      Str2html,
                "TimeSince":     timeutil.TimeSince,
                "TimeSinceUnix": timeutil.TimeSinceUnix,
@@ -629,6 +630,11 @@ func Escape(raw string) string {
        return html.EscapeString(raw)
 }
 
+// JSEscape escapes a JS string
+func JSEscape(raw string) string {
+       return template.JSEscapeString(raw)
+}
+
 // List traversings the list
 func List(l *list.List) chan interface{} {
        e := l.Front()

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 57bcdf49f657a2e40d823e3299b7e906cc1ceb95..60c4f6d790d5f3c516a660107080a8621bcbcdc9 100644 (file)
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -9,7 +9,7 @@
 //
 //     Schemes: http, https
 //     BasePath: /api/v1
-//     Version: {{AppVer}}
+//     Version: {{AppVer | JSEscape | Safe}}
 //     License: MIT http://opensource.org/licenses/MIT
 //
 //     Consumes:

diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
index 930af907ea8bdf38e27559b1ae87d10a0c0afaef..d44583b816843768020284c7cf4e67bc3c1c90e5 100644 (file)
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -19,9 +19,9 @@
       "name": "MIT",
       "url": "http://opensource.org/licenses/MIT"
     },
-    "version": "{{AppVer}}"
+    "version": "{{AppVer | JSEscape | Safe}}"
   },
-  "basePath": "{{AppSubUrl}}/api/v1",
+  "basePath": "{{AppSubUrl | JSEscape | Safe}}/api/v1",
   "paths": {
     "/admin/cron": {
       "get": {