Fix username rendering bug (#2122)

* Fix username rendering bug * XSS integration test * Migration to unescape user full names
author: Ethan Koenig <etk39@cornell.edu> 2017-07-12 10:58:52 -0400
committer: Lauris BH <lauris@nix.lv> 2017-07-12 17:58:52 +0300
commit: 858324c21ab95bb46d881cac6f824d8f9b7d2b87 (patch)
tree: b3bbe418449fc8f5307292cfe750b4cf8ff90947 /models/migrations/v37.go
parent: 2c3efd72ce30f77aa7f8056d4973e07912e15da3 (diff)
download: gitea-858324c21ab95bb46d881cac6f824d8f9b7d2b87.tar.gz
gitea-858324c21ab95bb46d881cac6f824d8f9b7d2b87.zip
1 files changed, 32 insertions, 0 deletions
diff --git a/models/migrations/v37.go b/models/migrations/v37.go
new file mode 100644
index 0000000000..aac00e84cb
--- /dev/null
+++ b/models/migrations/v37.go
@@ -0,0 +1,32 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"html"
+
+	"code.gitea.io/gitea/models"
+
+	"github.com/go-xorm/xorm"
+)
+
+func unescapeUserFullNames(x *xorm.Engine) (err error) {
+	const batchSize = 100
+	for start := 0; ; start += batchSize {
+		users := make([]*models.User, 0, batchSize)
+		if err := x.Limit(start, batchSize).Find(users); err != nil {
+			return err
+		}
+		if len(users) == 0 {
+			return nil
+		}
+		for _, user := range users {
+			user.FullName = html.UnescapeString(user.FullName)
+			if _, err := x.Cols("full_name").Update(user); err != nil {
+				return err
+			}
+		}
+	}
+}
author	Ethan Koenig <etk39@cornell.edu>	2017-07-12 10:58:52 -0400
committer	Lauris BH <lauris@nix.lv>	2017-07-12 17:58:52 +0300
commit	858324c21ab95bb46d881cac6f824d8f9b7d2b87 (patch)
tree	b3bbe418449fc8f5307292cfe750b4cf8ff90947 /models/migrations/v37.go
parent	2c3efd72ce30f77aa7f8056d4973e07912e15da3 (diff)
download	gitea-858324c21ab95bb46d881cac6f824d8f9b7d2b87.tar.gz gitea-858324c21ab95bb46d881cac6f824d8f9b7d2b87.zip