Browse Source

SECURITY: HTML injection in user search API

Reported by Tim Hawes.
pull/4825/head
Unknwon 7 years ago
parent
commit
ea313d0c1e
No known key found for this signature in database
GPG Key ID: 25B575AE3213B2B3
  1. 3
      routes/api/v1/user/user.go

3
routes/api/v1/user/user.go

@ -12,6 +12,7 @@ import (
"github.com/gogits/gogs/models"
"github.com/gogits/gogs/models/errors"
"github.com/gogits/gogs/pkg/context"
"github.com/gogits/gogs/pkg/markup"
)
func Search(c *context.APIContext) {
@ -39,7 +40,7 @@ func Search(c *context.APIContext) {
ID: users[i].ID,
UserName: users[i].Name,
AvatarUrl: users[i].AvatarLink(),
FullName: users[i].FullName,
FullName: markup.Sanitize(users[i].FullName),
}
if c.IsLogged {
results[i].Email = users[i].Email

Loading…
Cancel
Save