From ef05332c3be415ddc8eb211a55151da12280698b Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Wed, 17 Jan 2024 16:16:46 +0100
Subject: [PATCH] [SECURITY] Fix XSS in wiki last commit information

- On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. That whole string is not being sanitized (passed
trough `Safe` in the templates), because the last edited bit is
formatted as an HTML element and thus shouldn't be sanitized. The
problem with this is that now `.Author.Name` is not being sanitized.
- This can be exploited, the names of authors and commiters on a Git
commit is user controlled, they can be any value and thus also include
HTML. It's not easy to actually exploit this, as you cannot use the
official git binary to do use, as they actually strip `<` and `>` from
user names (trivia: this behaviour was introduced in the initial commit
of Git). In the integration testing, go-git actually has to generate
this commit as they don't have such restrictions.
- Pass `.Author.Name` trough `Escape` in order to be sanitized.

(cherry picked from commit d24c37e132a554cee499df416cf5123964564da8)

Conflicts:
	templates/repo/wiki/revision.tmpl
	templates/repo/wiki/view.tmpl
	trivial context conflict
---
 templates/repo/wiki/revision.tmpl | 2 +-
 templates/repo/wiki/view.tmpl     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/repo/wiki/revision.tmpl b/templates/repo/wiki/revision.tmpl
index b2d6e63924..4d8fa25d31 100644
--- a/templates/repo/wiki/revision.tmpl
+++ b/templates/repo/wiki/revision.tmpl
@@ -10,7 +10,7 @@
 					{{$title}}
 					<div class="ui sub header gt-word-break">
 						{{$timeSince := TimeSince .Author.When $.locale}}
-						{{.locale.Tr "repo.wiki.last_commit_info" .Author.Name $timeSince | Safe}}
+						{{.locale.Tr "repo.wiki.last_commit_info" (.Author.Name | Escape) $timeSince | Safe}}
 					</div>
 				</div>
 			</div>
diff --git a/templates/repo/wiki/view.tmpl b/templates/repo/wiki/view.tmpl
index c294af3160..e64a106bcb 100644
--- a/templates/repo/wiki/view.tmpl
+++ b/templates/repo/wiki/view.tmpl
@@ -40,7 +40,7 @@
 					{{$title}}
 					<div class="ui sub header">
 						{{$timeSince := TimeSince .Author.When $.locale}}
-						{{.locale.Tr "repo.wiki.last_commit_info" .Author.Name $timeSince | Safe}}
+						{{.locale.Tr "repo.wiki.last_commit_info" (.Author.Name | Escape) $timeSince | Safe}}
 					</div>
 				</div>
 				<div class="eight wide right aligned column">