mirror of
1
Fork 0
forgejo/templates/repo
Gusted d24c37e132
[SECURITY] Fix XSS in wiki last commit information
- On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. That whole string is not being sanitized (passed
trough `Safe` in the templates), because the last edited bit is
formatted as an HTML element and thus shouldn't be sanitized. The
problem with this is that now `.Author.Name` is not being sanitized.
- This can be exploited, the names of authors and commiters on a Git
commit is user controlled, they can be any value and thus also include
HTML. It's not easy to actually exploit this, as you cannot use the
official git binary to do use, as they actually strip `<` and `>` from
user names (trivia: this behaviour was introduced in the initial commit
of Git). In the integration testing, go-git actually has to generate
this commit as they don't have such restrictions.
- Pass `.Author.Name` trough `Escape` in order to be sanitized.
2024-02-22 13:04:47 +01:00
..
actions Fix the runs will not be displayed bug when the main branch have no workflows but other branches have (#28359) (#28365) 2023-12-08 13:41:16 +01:00
branch Rework markup link rendering (#26745) (#28803) 2024-01-16 14:41:11 +00:00
cite Update JS and PY dependencies (#27501) (#27518) 2023-10-08 19:31:33 +02:00
code Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
diff [BUG] split code conversations in diff tab (#2306) 2024-02-16 14:06:43 +01:00
editor Preserve BOM in web editor (#28935) (#28959) 2024-01-31 14:18:26 +01:00
find Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
graph Rework markup link rendering (#26745) (#28803) 2024-01-16 14:41:11 +00:00
issue [BUG] split code conversations in diff tab (#2306) 2024-02-16 14:06:43 +01:00
migrate [SECURITY] review(kn4ck3r): more template escapes 2024-02-22 12:54:34 +01:00
projects Use full width for project boards (#28225) (#28245) 2023-12-08 13:40:59 +01:00
pulls Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
release Hide code links on release page if user cannot read code (#29064) (#29066) 2024-02-13 14:17:43 +01:00
settings [SECURITY] review(kn4ck3r): more template escapes 2024-02-22 12:54:34 +01:00
tag Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
wiki [SECURITY] Fix XSS in wiki last commit information 2024-02-22 13:04:47 +01:00
activity.tmpl Render code block in activity tab (#28816) (#28818) 2024-01-31 13:35:54 +01:00
blame.tmpl Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
branch_dropdown.tmpl Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
clone_buttons.tmpl Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
clone_script.tmpl Rework button coloring, add focus and active colors (#24507) 2023-05-29 12:45:22 +00:00
commit_load_branches_and_tags.tmpl Wrap contained tags and branches again (#29021) (#29026) 2024-02-13 14:17:25 +01:00
commit_page.tmpl Rework markup link rendering (#26745) (#28803) 2024-01-16 14:41:11 +00:00
commit_status.tmpl Restore warning commit status (#27504) (#27529) 2023-10-09 11:56:02 +08:00
commit_statuses.tmpl cleanup locale function usage (#27227) (#27240) 2023-09-25 00:21:38 +00:00
commits.tmpl [GITEA] Detect file rename and show in history 2023-11-13 14:06:30 +01:00
commits_list.tmpl Rework markup link rendering (#26745) (#28803) 2024-01-16 14:41:11 +00:00
commits_list_small.tmpl Rework markup link rendering (#26745) (#28803) 2024-01-16 14:41:11 +00:00
commits_table.tmpl Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
create.tmpl Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
create_helper.tmpl Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
empty.tmpl Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
file_info.tmpl Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
forks.tmpl Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
graph.tmpl Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
header.tmpl Refactor template empty checks (#28351) (#28354) 2023-12-08 13:41:16 +01:00
home.tmpl Add word-break to repo description in home page (#27924) (#27957) 2023-11-08 01:29:33 +00:00
icon.tmpl cleanup repo details icons/labels (#27644) (#27654) 2023-10-19 22:04:24 +02:00
packages.tmpl Fix inconsistent user profile layout across tabs (#25625) 2023-07-06 18:59:24 +00:00
release_tag_header.tmpl Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
search.tmpl Fix 500 error of searching commits (#28576) (#28579) 2023-12-22 12:10:04 +01:00
search_name.tmpl Clean template/helper.go (#23922) 2023-04-07 03:31:41 -04:00
shabox_badge.tmpl cleanup locale function usage (#27227) (#27240) 2023-09-25 00:21:38 +00:00
sub_menu.tmpl Enable followCursor for language stats bar (#27713) (#27739) 2023-10-22 15:35:58 +02:00
unicode_escape_prompt.tmpl Fix incorrect button CSS usages (#29015) (#29023) 2024-02-13 14:17:18 +01:00
upload.tmpl Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
user_cards.tmpl Backport ctx locale refactoring manually (#27231) (#27259) (#27260) 2023-09-25 13:15:51 +00:00
view_file.tmpl Fix incorrect button CSS usages (#29015) (#29023) 2024-02-13 14:17:18 +01:00
view_list.tmpl Rework markup link rendering (#26745) (#28803) 2024-01-16 14:41:11 +00:00
watchers.tmpl Fix user-cards format (#24428) 2023-04-29 15:43:01 -04:00