fix(db): sanitize user full name after find (#7353)

# Conflicts:
#	internal/db/issue.go
#	internal/db/users.go
#	internal/db/users_test.go

CHANGELOG.md

@@ -28,6 +28,7 @@ All notable changes to Gogs are documented in this file.
 
 ### Fixed
 
+- _Security:_ Stored XSS for issue assignees. [#7145](https://github.com/gogs/gogs/issues/7145)
 - Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761)
 - Unable to choose "Lookup Avatar by mail" in user settings without deleting custom avatar. [#7267](https://github.com/gogs/gogs/pull/7267)
 - Mistakenly include the "data" directory under the custom directory in the Docker setup. [#7343](https://github.com/gogs/gogs/pull/7343)

internal/db/repo.go

@@ -483,6 +483,11 @@ func (repo *Repository) getUsersWithAccesMode(e Engine, mode AccessMode) (_ []*U
 		if err = e.In("id", userIDs).Find(&users); err != nil {
 			return nil, err
 		}
+
+		// TODO(unknwon): Rely on AfterFind hook to sanitize user full name.
+		for _, u := range users {
+			u.FullName = markup.Sanitize(u.FullName)
+		}
 	}
 	if !repo.Owner.IsOrganization() {
 		users = append(users, repo.Owner)

internal/db/user.go

@@ -32,6 +32,7 @@ import (
 	"gogs.io/gogs/internal/conf"
 	"gogs.io/gogs/internal/db/errors"
 	"gogs.io/gogs/internal/errutil"
+	"gogs.io/gogs/internal/markup"
 	"gogs.io/gogs/internal/strutil"
 	"gogs.io/gogs/internal/tool"
 )
@@ -920,14 +921,18 @@ func GetUserByKeyID(keyID int64) (*User, error) {
 	return user, nil
 }
 
+// Deprecated: Use Users.GetByID instead.
 func getUserByID(e Engine, id int64) (*User, error) {
 	u := new(User)
 	has, err := e.ID(id).Get(u)
 	if err != nil {
 		return nil, err
 	} else if !has {
-		return nil, ErrUserNotExist{args: map[string]interface{}{"userID": id}}
+		return nil, ErrUserNotExist{args: errutil.Args{"userID": id}}
 	}
+
+	// TODO(unknwon): Rely on AfterFind hook to sanitize user full name.
+	u.FullName = markup.Sanitize(u.FullName)
 	return u, nil
 }