Stop sanitizing full name in API (#17396)

The API convert.toUser function makes the incorrect assumption that full names could
be rendered as is without being escaped. It therefore runs the names through
markup.Sanitize which leads to a double escape of user full names. This
pr stops this.

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>

diff --git a/modules/convert/user.go b/modules/convert/user.go
index 164ffb71fd2e710eb7306cfa945543f20ef9f9b5..3f17ae4b4d5d27d2f7be21168b8b0873eb881939 100644 (file)
--- a/modules/convert/user.go
+++ b/modules/convert/user.go
@@ -6,7 +6,6 @@ package convert
 
 import (
        "code.gitea.io/gitea/models"
-       "code.gitea.io/gitea/modules/markup"
        api "code.gitea.io/gitea/modules/structs"
 )
 
@@ -49,7 +48,7 @@ func toUser(user *models.User, signed, authed bool) *api.User {
        result := &api.User{
                ID:          user.ID,
                UserName:    user.Name,
-               FullName:    markup.Sanitize(user.FullName),
+               FullName:    user.FullName,
                Email:       user.GetEmail(),
                AvatarURL:   user.AvatarLink(),
                Created:     user.CreatedUnix.AsTime(),