SECURITY: fix branch name persistent XSS

Reported by Carl Hattenfels.
7 years ago · b727e0be71
2 changed files with 3 additions and 2 deletions
--- a/templates/repo/editor/commit_form.tmpl
+++ b/templates/repo/editor/commit_form.tmpl
@ -14,7 +14,8 @@
 					<input type="radio" class="js-quick-pull-choice-option" name="commit_choice" value="direct" {{if eq .commit_choice "direct"}}checked{{end}}>
 					<label>
 						<i class="octicon octicon-git-commit" height="16" width="14"></i>
-						{{.i18n.Tr "repo.editor.commit_directly_to_this_branch" .BranchName | Safe}}
+						{{$branchName := .BranchName | Str2html}}
+						{{.i18n.Tr "repo.editor.commit_directly_to_this_branch" $branchName | Safe}}
 					</label>
 				</div>
 			</div>
--- a/templates/repo/issue/view_title.tmpl
+++ b/templates/repo/issue/view_title.tmpl
@ -28,7 +28,7 @@
 		{{if .Issue.PullRequest.HasMerged}}
 			{{ $mergedStr:= TimeSince .Issue.PullRequest.Merged $.Lang }}
 			<a {{if gt .Issue.PullRequest.Merger.ID 0}}href="{{.Issue.PullRequest.Merger.HomeLink}}"{{end}}>{{.Issue.PullRequest.Merger.Name}}</a>
-			<span class="pull-desc">{{$.i18n.Tr "repo.pulls.merged_title_desc" .NumCommits .HeadTarget .BaseTarget $mergedStr | Safe}}</span>
+			<span class="pull-desc">{{$.i18n.Tr "repo.pulls.merged_title_desc" .NumCommits .HeadTarget .BaseTarget $mergedStr | Str2html}}</span>
 		{{else}}
 			<a {{if gt .Issue.Poster.ID 0}}href="{{.Issue.Poster.HomeLink}}"{{end}}>{{.Issue.Poster.Name}}</a>
 			<span class="pull-desc">{{$.i18n.Tr "repo.pulls.title_desc" .NumCommits .HeadTarget .BaseTarget | Str2html}}</span>