Escape the commit message on issues update and title in telegram hook (#6901)

diff --git a/models/action.go b/models/action.go
index 01a6a91704ee055ac5cbe9cc23d6427ac7636a3f..f397298699cda8b98dd47cd12c1cffb6e49e3613 100644 (file)
--- a/models/action.go
+++ b/models/action.go
@@ -8,6 +8,7 @@ package models
 import (
        "encoding/json"
        "fmt"
+       "html"
        "path"
        "regexp"
        "strconv"
@@ -580,7 +581,7 @@ func UpdateIssuesCommit(doer *User, repo *Repository, commits []*PushCommit, bra
                        }
                        refMarked[issue.ID] = true
 
-                       message := fmt.Sprintf(`<a href="%s/commit/%s">%s</a>`, repo.Link(), c.Sha1, c.Message)
+                       message := fmt.Sprintf(`<a href="%s/commit/%s">%s</a>`, repo.Link(), c.Sha1, html.EscapeString(c.Message))
                        if err = CreateRefComment(doer, refRepo, issue, message, c.Sha1); err != nil {
                                return err
                        }

diff --git a/models/webhook_telegram.go b/models/webhook_telegram.go
index 9aef0e3ece5f1f4e897c83baa4270d66d279eba2..7976d14c5742f72ce8ced2d71fbb1d88b01c7aa2 100644 (file)
--- a/models/webhook_telegram.go
+++ b/models/webhook_telegram.go
@@ -7,6 +7,7 @@ package models
 import (
        "encoding/json"
        "fmt"
+       "html"
        "strings"
 
        "code.gitea.io/gitea/modules/git"
@@ -169,7 +170,7 @@ func getTelegramIssuesPayload(p *api.IssuePayload) (*TelegramPayload, error) {
 
 func getTelegramIssueCommentPayload(p *api.IssueCommentPayload) (*TelegramPayload, error) {
        url := fmt.Sprintf("%s/issues/%d#%s", p.Repository.HTMLURL, p.Issue.Index, CommentHashTag(p.Comment.ID))
-       title := fmt.Sprintf(`<a href="%s">#%d %s</a>`, url, p.Issue.Index, p.Issue.Title)
+       title := fmt.Sprintf(`<a href="%s">#%d %s</a>`, url, p.Issue.Index, html.EscapeString(p.Issue.Title))
        var text string
        switch p.Action {
        case api.HookIssueCommentCreated: