diff options
| author | zeripath <art27@cantab.net> | 2020-08-28 05:37:05 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-08-28 00:37:05 -0400 |
| commit | d3b5edacb655ced0135ca5f48544612ccc38890e (patch) | |
| tree | a77a1fa8e66bb1235e8bbec03d2764c1df6799b8 /routers/user | |
| parent | cbc60f5c70dac01af647e5f70730778b008cf234 (diff) | |
| download | gitea-d3b5edacb655ced0135ca5f48544612ccc38890e.tar.gz gitea-d3b5edacb655ced0135ca5f48544612ccc38890e.zip | |
Escape more things that are passed through str2html (#12622)
* Escape more things that are passed through str2html
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Bloody editors!
Co-authored-by: mrsdizzie <info@mrsdizzie.com>
* Update routers/user/oauth.go
Co-authored-by: mrsdizzie <info@mrsdizzie.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Diffstat (limited to 'routers/user')
| -rw-r--r-- | routers/user/oauth.go | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/routers/user/oauth.go b/routers/user/oauth.go index a9e089b39f..12665e94db 100644 --- a/routers/user/oauth.go +++ b/routers/user/oauth.go @@ -7,6 +7,7 @@ package user import ( "encoding/base64" "fmt" + "html" "net/url" "strings" @@ -271,8 +272,8 @@ func AuthorizeOAuth(ctx *context.Context, form auth.AuthorizationForm) { ctx.Data["Application"] = app ctx.Data["RedirectURI"] = form.RedirectURI ctx.Data["State"] = form.State - ctx.Data["ApplicationUserLink"] = "<a href=\"" + setting.AppURL + app.User.LowerName + "\">@" + app.User.Name + "</a>" - ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + form.RedirectURI + "</strong>" + ctx.Data["ApplicationUserLink"] = "<a href=\"" + html.EscapeString(setting.AppURL) + html.EscapeString(url.PathEscape(app.User.LowerName)) + "\">@" + html.EscapeString(app.User.Name) + "</a>" + ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + html.EscapeString(form.RedirectURI) + "</strong>" // TODO document SESSION <=> FORM err = ctx.Session.Set("client_id", app.ClientID) if err != nil { |