aboutsummaryrefslogtreecommitdiffstats
path: root/models
diff options
context:
space:
mode:
authorJustin Nuß <nuss.justin@gmail.com>2014-07-22 20:08:04 +0200
committerJustin Nuß <nuss.justin@gmail.com>2014-07-22 20:08:04 +0200
commit636a78fed14a4e63317a14cdec8c4ea3cb25ff86 (patch)
treef0ce806267cfbf4cb211a9350b7d8cb674bef020 /models
parente194cf3291df11ddf4d9235fe0d7e18322bbd0f3 (diff)
downloadgitea-636a78fed14a4e63317a14cdec8c4ea3cb25ff86.tar.gz
gitea-636a78fed14a4e63317a14cdec8c4ea3cb25ff86.zip
Escape tags and quotes in links.
Diffstat (limited to 'models')
-rw-r--r--models/repo.go9
1 files changed, 8 insertions, 1 deletions
diff --git a/models/repo.go b/models/repo.go
index 1cfa50f7b5..845c1b75a9 100644
--- a/models/repo.go
+++ b/models/repo.go
@@ -8,6 +8,7 @@ import (
"errors"
"fmt"
"io/ioutil"
+ "html"
"html/template"
"os"
"path"
@@ -152,7 +153,13 @@ func (repo *Repository) GetOwner() (err error) {
}
func (repo *Repository) DescriptionHtml() template.HTML {
- return template.HTML(DescriptionPattern.ReplaceAllString(repo.Description, `<a href="$0" target="_blank">$0</a>`))
+ sanitize := func(s string) string {
+ // TODO(nuss-justin): Improve sanitization. Strip all tags?
+ ss := html.EscapeString(s)
+
+ return fmt.Sprintf(`<a href="%s" target="_blank">%s</a>`, ss, ss)
+ }
+ return template.HTML(DescriptionPattern.ReplaceAllStringFunc(repo.Description, sanitize))
}
// IsRepositoryExist returns true if the repository with given name under user has already existed.