summaryrefslogtreecommitdiffstats
path: root/models
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2019-05-10 18:48:28 +0100
committertechknowlogick <techknowlogick@gitea.io>2019-05-10 13:48:28 -0400
commitd64a646c0a9c4ea1ca7f6213e4d353132cb735c1 (patch)
treeffcfbf7f2c5fdb710a1a3d4b9247d3c0019c209a /models
parent10ff527faefb14b1e06e300d8a4cb3c436c37445 (diff)
downloadgitea-d64a646c0a9c4ea1ca7f6213e4d353132cb735c1.tar.gz
gitea-d64a646c0a9c4ea1ca7f6213e4d353132cb735c1.zip
Escape the commit message on issues update and title in telegram hook (#6901)
Diffstat (limited to 'models')
-rw-r--r--models/action.go3
-rw-r--r--models/webhook_telegram.go3
2 files changed, 4 insertions, 2 deletions
diff --git a/models/action.go b/models/action.go
index 01a6a91704..f397298699 100644
--- a/models/action.go
+++ b/models/action.go
@@ -8,6 +8,7 @@ package models
import (
"encoding/json"
"fmt"
+ "html"
"path"
"regexp"
"strconv"
@@ -580,7 +581,7 @@ func UpdateIssuesCommit(doer *User, repo *Repository, commits []*PushCommit, bra
}
refMarked[issue.ID] = true
- message := fmt.Sprintf(`<a href="%s/commit/%s">%s</a>`, repo.Link(), c.Sha1, c.Message)
+ message := fmt.Sprintf(`<a href="%s/commit/%s">%s</a>`, repo.Link(), c.Sha1, html.EscapeString(c.Message))
if err = CreateRefComment(doer, refRepo, issue, message, c.Sha1); err != nil {
return err
}
diff --git a/models/webhook_telegram.go b/models/webhook_telegram.go
index 9aef0e3ece..7976d14c57 100644
--- a/models/webhook_telegram.go
+++ b/models/webhook_telegram.go
@@ -7,6 +7,7 @@ package models
import (
"encoding/json"
"fmt"
+ "html"
"strings"
"code.gitea.io/gitea/modules/git"
@@ -169,7 +170,7 @@ func getTelegramIssuesPayload(p *api.IssuePayload) (*TelegramPayload, error) {
func getTelegramIssueCommentPayload(p *api.IssueCommentPayload) (*TelegramPayload, error) {
url := fmt.Sprintf("%s/issues/%d#%s", p.Repository.HTMLURL, p.Issue.Index, CommentHashTag(p.Comment.ID))
- title := fmt.Sprintf(`<a href="%s">#%d %s</a>`, url, p.Issue.Index, p.Issue.Title)
+ title := fmt.Sprintf(`<a href="%s">#%d %s</a>`, url, p.Issue.Index, html.EscapeString(p.Issue.Title))
var text string
switch p.Action {
case api.HookIssueCommentCreated: