summaryrefslogtreecommitdiffstats
path: root/services
diff options
context:
space:
mode:
authorzeripath <art27@cantab.net>2020-12-26 21:58:21 +0000
committerGitHub <noreply@github.com>2020-12-26 21:58:21 +0000
commit236e70f1359ae46818c3916f21401ef4bacf3eaf (patch)
treea4aece861f373f0d32582629958a63f28a752d40 /services
parent5a1ccacac7900f91887440ad2c0d8a1e10fc0dfe (diff)
downloadgitea-236e70f1359ae46818c3916f21401ef4bacf3eaf.tar.gz
gitea-236e70f1359ae46818c3916f21401ef4bacf3eaf.zip
Fix escaping issue in diff (#14153)
Ensure that linecontent is escaped before passing to template.HTML Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'services')
-rw-r--r--services/gitdiff/gitdiff.go7
1 files changed, 3 insertions, 4 deletions
diff --git a/services/gitdiff/gitdiff.go b/services/gitdiff/gitdiff.go
index 79cd16e193..81b92f7168 100644
--- a/services/gitdiff/gitdiff.go
+++ b/services/gitdiff/gitdiff.go
@@ -10,6 +10,7 @@ import (
"bytes"
"context"
"fmt"
+ "html"
"html/template"
"io"
"io/ioutil"
@@ -164,9 +165,9 @@ func getDiffLineSectionInfo(treePath, line string, lastLeftIdx, lastRightIdx int
// escape a line's content or return <br> needed for copy/paste purposes
func getLineContent(content string) string {
if len(content) > 0 {
- return content
+ return html.EscapeString(content)
}
- return "\n"
+ return "<br>"
}
// DiffSection represents a section of a DiffFile.
@@ -357,8 +358,6 @@ func (diffSection *DiffSection) GetComputedInlineDiffFor(diffLine *DiffLine) tem
diffRecord := diffMatchPatch.DiffMain(highlight.Code(diffSection.FileName, diff1[1:]), highlight.Code(diffSection.FileName, diff2[1:]), true)
diffRecord = diffMatchPatch.DiffCleanupEfficiency(diffRecord)
- diffRecord = diffMatchPatch.DiffCleanupEfficiency(diffRecord)
-
return diffToHTML(diffSection.FileName, diffRecord, diffLine.Type)
}