2 files changed, 14 insertions, 0 deletions

diff --git a/routers/repo/issue.go b/routers/repo/issue.go
index 739370da69..a2f4022a73 100644
--- a/routers/repo/issue.go
+++ b/routers/repo/issue.go
@@ -673,6 +673,7 @@ func ViewIssue(ctx *context.Context) {
 		}
 	}
 	ctx.Data["IssueWatch"] = iw
+	ctx.Data["AllowedReactions"] = setting.UI.Reactions
 
 	issue.RenderedContent = string(markdown.Render([]byte(issue.Content), ctx.Repo.RepoLink,
 		ctx.Repo.Repository.ComposeMetas()))
@@ -1447,6 +1448,12 @@ func ChangeIssueReaction(ctx *context.Context, form auth.ReactionForm) {
 
 	switch ctx.Params(":action") {
 	case "react":
+		if !util.IsStringInSlice(form.Content, setting.UI.Reactions) {
+			err := fmt.Errorf("ChangeIssueReaction: '%s' is not an allowed reaction", form.Content)
+			ctx.ServerError(err.Error(), err)
+			return
+		}
+
 		reaction, err := models.CreateIssueReaction(ctx.User, issue, form.Content)
 		if err != nil {
 			log.Info("CreateIssueReaction: %s", err)
@@ -1542,6 +1549,12 @@ func ChangeCommentReaction(ctx *context.Context, form auth.ReactionForm) {
 
 	switch ctx.Params(":action") {
 	case "react":
+		if !util.IsStringInSlice(form.Content, setting.UI.Reactions) {
+			err := fmt.Errorf("ChangeIssueReaction: '%s' is not an allowed reaction", form.Content)
+			ctx.ServerError(err.Error(), err)
+			return
+		}
+
 		reaction, err := models.CreateCommentReaction(ctx.User, comment.Issue, comment, form.Content)
 		if err != nil {
 			log.Info("CreateCommentReaction: %s", err)
diff --git a/routers/repo/pull.go b/routers/repo/pull.go
index 0ff077b462..78406de8ac 100644
--- a/routers/repo/pull.go
+++ b/routers/repo/pull.go
@@ -422,6 +422,7 @@ func PrepareViewPullInfo(ctx *context.Context, issue *models.Issue) *git.Compare
 
 	ctx.Data["NumCommits"] = compareInfo.Commits.Len()
 	ctx.Data["NumFiles"] = compareInfo.NumFiles
+	ctx.Data["AllowedReactions"] = setting.UI.Reactions
 	return compareInfo
 }