diff options
| author | Lunny Xiao <xiaolunwen@gmail.com> | 2017-02-19 19:09:59 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-02-19 19:09:59 +0800 |
| commit | 6076c95dd1c1589eaf98f85b008c938adccf9451 (patch) | |
| tree | 091d0eb70fb6d9568e092096ae87b402260cc1dc /templates/repo/issue/view_content.tmpl | |
| parent | dbe6d2ff8eaae64db0ce800f60489afa0935c7ad (diff) | |
| download | gitea-6076c95dd1c1589eaf98f85b008c938adccf9451.tar.gz gitea-6076c95dd1c1589eaf98f85b008c938adccf9451.zip | |
Security: fix XSS attack on milestone (#976)
Reported by Miguel Ángel Jimeno.
Diffstat (limited to 'templates/repo/issue/view_content.tmpl')
| -rw-r--r-- | templates/repo/issue/view_content.tmpl | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/templates/repo/issue/view_content.tmpl b/templates/repo/issue/view_content.tmpl index 381c80cdaf..42e9f01c0b 100644 --- a/templates/repo/issue/view_content.tmpl +++ b/templates/repo/issue/view_content.tmpl @@ -322,7 +322,7 @@ <span class="no-select item {{if .HasSelectedLabel}}hide{{end}}">{{.i18n.Tr "repo.issues.new.no_label"}}</span> {{range .Labels}} <div class="item"> - <a class="ui label {{if not .IsChecked}}hide{{end}}" id="label_{{.ID}}" href="{{$.RepoLink}}/issues?labels={{.ID}}" style="color: {{.ForegroundColor}}; background-color: {{.Color}}">{{.Name}}</a> + <a class="ui label {{if not .IsChecked}}hide{{end}}" id="label_{{.ID}}" href="{{$.RepoLink}}/issues?labels={{.ID}}" style="color: {{.ForegroundColor}}; background-color: {{.Color}}">{{.Name | Sanitize}}</a> </div> {{end}} @@ -344,7 +344,7 @@ {{.i18n.Tr "repo.issues.new.open_milestone"}} </div> {{range .OpenMilestones}} - <div class="item" data-id="{{.ID}}" data-href="{{$.RepoLink}}/issues?milestone={{.ID}}"> {{.Name}}</div> + <div class="item" data-id="{{.ID}}" data-href="{{$.RepoLink}}/issues?milestone={{.ID}}"> {{.Name | Sanitize}}</div> {{end}} {{end}} {{if .ClosedMilestones}} @@ -354,7 +354,7 @@ {{.i18n.Tr "repo.issues.new.closed_milestone"}} </div> {{range .ClosedMilestones}} - <a class="item" data-id="{{.ID}}" data-href="{{$.RepoLink}}/issues?milestone={{.ID}}"> {{.Name}}</a> + <a class="item" data-id="{{.ID}}" data-href="{{$.RepoLink}}/issues?milestone={{.ID}}"> {{.Name | Sanitize}}</a> {{end}} {{end}} </div> @@ -363,7 +363,7 @@ <span class="no-select item {{if .Issue.Milestone}}hide{{end}}">{{.i18n.Tr "repo.issues.new.no_milestone"}}</span> <div class="selected"> {{if .Issue.Milestone}} - <a class="item" href="{{.RepoLink}}/issues?milestone={{.Issue.Milestone.ID}}"> {{.Issue.Milestone.Name}}</a> + <a class="item" href="{{.RepoLink}}/issues?milestone={{.Issue.Milestone.ID}}"> {{.Issue.Milestone.Name | Sanitize}}</a> {{end}} </div> </div> |