diff options
| author | Morgan Bazalgette <git@howl.moe> | 2018-01-22 22:28:16 +0100 |
|---|---|---|
| committer | Lauris BH <lauris@nix.lv> | 2018-01-22 23:28:16 +0200 |
| commit | d644e8810710bc2e5035aa25f63c597c47312404 (patch) | |
| tree | 12792cd113174c36ca3247434e611da6e7a4a365 /modules | |
| parent | 00d08473b8fd4501100119808253a2e1afc6fd7f (diff) | |
| download | gitea-d644e8810710bc2e5035aa25f63c597c47312404.tar.gz gitea-d644e8810710bc2e5035aa25f63c597c47312404.zip | |
HTML escape all lines of the search result (#3402)
Fixes #3383.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/search/search.go | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/modules/search/search.go b/modules/search/search.go index 1c13f11f8f..db0c0a6168 100644 --- a/modules/search/search.go +++ b/modules/search/search.go @@ -6,6 +6,7 @@ package search import ( "bytes" + "html" gotemplate "html/template" "strings" @@ -75,17 +76,17 @@ func searchResult(result *indexer.RepoSearchResult, startIndex, endIndex int) (* closeActiveIndex := util.Min(result.EndIndex-index, len(line)) err = writeStrings(&formattedLinesBuffer, `<li>`, - line[:openActiveIndex], + html.EscapeString(line[:openActiveIndex]), `<span class='active'>`, - line[openActiveIndex:closeActiveIndex], + html.EscapeString(line[openActiveIndex:closeActiveIndex]), `</span>`, - line[closeActiveIndex:], + html.EscapeString(line[closeActiveIndex:]), `</li>`, ) } else { err = writeStrings(&formattedLinesBuffer, `<li>`, - line, + html.EscapeString(line), `</li>`, ) } |