SECURITY: HTML injection in user search API

Reported by Tim Hawes.
7 years ago · ea313d0c1e
1 changed files with 2 additions and 1 deletions
--- a/routes/api/v1/user/user.go
+++ b/routes/api/v1/user/user.go
@ -12,6 +12,7 @@ import (
 	"github.com/gogits/gogs/models"
 	"github.com/gogits/gogs/models/errors"
 	"github.com/gogits/gogs/pkg/context"
+	"github.com/gogits/gogs/pkg/markup"
 )

 func Search(c *context.APIContext) {
@ -39,7 +40,7 @@ func Search(c *context.APIContext) {
 			ID:        users[i].ID,
 			UserName:  users[i].Name,
 			AvatarUrl: users[i].AvatarLink(),
-			FullName:  users[i].FullName,
+			FullName:  markup.Sanitize(users[i].FullName),
 		}
 		if c.IsLogged {
 			results[i].Email = users[i].Email