USEFULL/gogs
1
0
Fork 0
mirror of https://github.com/gogs/gogs.git synced 2025-05-31 11:42:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: HTML injection in user search API

Browse Source 
Reported by Tim Hawes.
This commit is contained in:
Unknwon 2017-10-14 23:53:20 -04:00
parent c1507eda45
commit ea313d0c1e
No known key found for this signature in database
GPG Key ID: 25B575AE3213B2B3
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
routes/api/v1/user/user.go
View File

@ -12,6 +12,7 @@ import (
"github.com/gogits/gogs/models" "github.com/gogits/gogs/models"
"github.com/gogits/gogs/models/errors" "github.com/gogits/gogs/models/errors"
"github.com/gogits/gogs/pkg/context" "github.com/gogits/gogs/pkg/context"
"github.com/gogits/gogs/pkg/markup"
) )
func Search(c *context.APIContext) { func Search(c *context.APIContext) {
@ -39,7 +40,7 @@ func Search(c *context.APIContext) {
ID: users[i].ID, ID: users[i].ID,
UserName: users[i].Name, UserName: users[i].Name,
AvatarUrl: users[i].AvatarLink(), AvatarUrl: users[i].AvatarLink(),
FullName: users[i].FullName, FullName: markup.Sanitize(users[i].FullName),
} }
if c.IsLogged { if c.IsLogged {
results[i].Email = users[i].Email results[i].Email = users[i].Email