USEFULL
/
gogs
mirror of https://github.com/gogs/gogs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: HTML injection in user search API 

Reported by Tim Hawes.
pull/4825/head
Unknwon 2017-10-14 23:53:20 -04:00
parent c1507eda45
commit ea313d0c1e
No known key found for this signature in database
GPG Key ID: 25B575AE3213B2B3
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
routes/api/v1/user/user.go
View File

@ -12,6 +12,7 @@ import (
"github.com/gogits/gogs/models"
"github.com/gogits/gogs/models/errors"
"github.com/gogits/gogs/pkg/context"
"github.com/gogits/gogs/pkg/markup"
)
func Search(c *context.APIContext) {
@ -39,7 +40,7 @@ func Search(c *context.APIContext) {
ID: users[i].ID,
UserName: users[i].Name,
AvatarUrl: users[i].AvatarLink(),
FullName: users[i].FullName,
FullName: markup.Sanitize(users[i].FullName),
}
if c.IsLogged {
results[i].Email = users[i].Email