diff options
author | Justin Nuß <nuss.justin@gmail.com> | 2014-07-22 20:08:04 +0200 |
---|---|---|
committer | Justin Nuß <nuss.justin@gmail.com> | 2014-07-22 20:08:04 +0200 |
commit | 636a78fed14a4e63317a14cdec8c4ea3cb25ff86 (patch) | |
tree | f0ce806267cfbf4cb211a9350b7d8cb674bef020 /models | |
parent | e194cf3291df11ddf4d9235fe0d7e18322bbd0f3 (diff) | |
download | gitea-636a78fed14a4e63317a14cdec8c4ea3cb25ff86.tar.gz gitea-636a78fed14a4e63317a14cdec8c4ea3cb25ff86.zip |
Escape tags and quotes in links.
Diffstat (limited to 'models')
-rw-r--r-- | models/repo.go | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/models/repo.go b/models/repo.go index 1cfa50f7b5..845c1b75a9 100644 --- a/models/repo.go +++ b/models/repo.go @@ -8,6 +8,7 @@ import ( "errors" "fmt" "io/ioutil" + "html" "html/template" "os" "path" @@ -152,7 +153,13 @@ func (repo *Repository) GetOwner() (err error) { } func (repo *Repository) DescriptionHtml() template.HTML { - return template.HTML(DescriptionPattern.ReplaceAllString(repo.Description, `<a href="$0" target="_blank">$0</a>`)) + sanitize := func(s string) string { + // TODO(nuss-justin): Improve sanitization. Strip all tags? + ss := html.EscapeString(s) + + return fmt.Sprintf(`<a href="%s" target="_blank">%s</a>`, ss, ss) + } + return template.HTML(DescriptionPattern.ReplaceAllStringFunc(repo.Description, sanitize)) } // IsRepositoryExist returns true if the repository with given name under user has already existed. |