From 4fdd0ed7282406cf245c922a7962ee75f8e74486 Mon Sep 17 00:00:00 2001 From: Gusted Date: Thu, 18 Jan 2024 00:18:39 +0100 Subject: [PATCH] [SECURITY] Fix XSS in dismissed review - It's possible for reviews to not be assiocated with users, when they were migrated from another forge instance. In the migration code, there's no sanitization check for author names, so they could contain HTML tags and thus needs to be properely escaped. - Pass `$reviewerName` trough `Escape`. (cherry picked from commit fe2df46d053b3a06c30c9221899707d3b26c3013) Conflicts: templates/repo/issue/view_content/comments.tmpl trivial context conflict --- templates/repo/issue/view_content/comments.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/repo/issue/view_content/comments.tmpl b/templates/repo/issue/view_content/comments.tmpl index e371df14dc..77ab603fff 100644 --- a/templates/repo/issue/view_content/comments.tmpl +++ b/templates/repo/issue/view_content/comments.tmpl @@ -775,7 +775,7 @@ {{else}} {{$reviewerName = .Review.OriginalAuthor}} {{end}} - {{$.locale.Tr "repo.issues.review.dismissed" $reviewerName $createdStr | Safe}} + {{$.locale.Tr "repo.issues.review.dismissed" ($reviewerName | Escape) $createdStr | Safe}} {{if .Content}}