mirror/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-11-14 22:16:14 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 13
forgejo/templates/repo
History
Gusted ef05332c3b
[SECURITY] Fix XSS in wiki last commit information 
- On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. That whole string is not being sanitized (passed
trough `Safe` in the templates), because the last edited bit is
formatted as an HTML element and thus shouldn't be sanitized. The
problem with this is that now `.Author.Name` is not being sanitized.
- This can be exploited, the names of authors and commiters on a Git
commit is user controlled, they can be any value and thus also include
HTML. It's not easy to actually exploit this, as you cannot use the
official git binary to do use, as they actually strip `<` and `>` from
user names (trivia: this behaviour was introduced in the initial commit
of Git). In the integration testing, go-git actually has to generate
this commit as they don't have such restrictions.
- Pass `.Author.Name` trough `Escape` in order to be sanitized.

(cherry picked from commit d24c37e132)

Conflicts:
	templates/repo/wiki/revision.tmpl
	templates/repo/wiki/view.tmpl
	trivial context conflict
2024-02-22 22:36:14 +01:00
..
actions Actions list enhancements (#25601) (#25678) 2023-07-04 13:00:34 +00:00
branch Several fixes for mobile UI (#25634) (#25689) 2023-07-07 00:34:00 +02:00
cite Button and color enhancements (#24989) (#25176) 2023-06-11 02:13:08 +00:00
diff Fix being unable to use a repo that prohibits accepting PRs as a PR source. (#26785) (#26790) 2023-09-08 08:09:18 +02:00
editor Fix incorrect "tabindex" attributes (#26733) (#26734) 2023-09-08 08:07:19 +02:00
find Refactor hiding-methods, remove jQuery show/hide, remove .hide class, remove inline style=display:none (#22950) 2023-02-19 12:06:14 +08:00
graph Improve commit graph alignment and truncating (#26112) (#26127) 2023-07-26 13:49:15 +02:00
issue Fix incorrect "tabindex" attributes (#26733) (#26734) 2023-09-08 08:07:19 +02:00
migrate [SECURITY] review(kn4ck3r): more template escapes 2024-02-22 22:33:06 +01:00
projects Fix incorrect "tabindex" attributes (#26733) (#26734) 2023-09-08 08:07:19 +02:00
pulls Don't stack PR tab menu on small screens (#25789) 2023-08-18 15:40:21 +02:00
release Button and color enhancements (#24989) (#25176) 2023-06-11 02:13:08 +00:00
settings [SECURITY] review(kn4ck3r): more template escapes 2024-02-22 22:33:06 +01:00
tag RSS icon fixes (#24476) 2023-05-10 22:27:02 +00:00
wiki [SECURITY] Fix XSS in wiki last commit information 2024-02-22 22:36:14 +01:00
activity.tmpl Fix UI on mobile view (#25315) (#25340) 2023-06-18 13:02:41 +00:00
blame.tmpl Button and color enhancements (#24989) (#25176) 2023-06-11 02:13:08 +00:00
branch_dropdown.tmpl Make Issue/PR/projects more compact, misc CSS tweaks (#24459) 2023-05-03 17:58:59 -04:00
clone_buttons.tmpl Clarify "text-align" CSS helpers, fix clone button padding (#25763) (#25764) 2023-07-10 00:19:24 +02:00
clone_script.tmpl Rework button coloring, add focus and active colors (#24507) 2023-05-29 12:45:22 +00:00
commit_page.tmpl Clarify "text-align" CSS helpers, fix clone button padding (#25763) (#25764) 2023-07-10 00:19:24 +02:00
commit_status.tmpl Make pending commit status yellow again (#25935) (#25968) 2023-07-24 07:58:56 +02:00
commit_statuses.tmpl Button and color enhancements (#24989) (#25176) 2023-06-11 02:13:08 +00:00
commits.tmpl Fix some UI alignments (#25277) (#25290) 2023-06-16 00:32:59 +00:00
commits_list.tmpl Several fixes for mobile UI (#25634) (#25689) 2023-07-07 00:34:00 +02:00
commits_list_small.tmpl Use flex to align SVG and text (#25163) (#25260) 2023-06-14 13:21:48 -04:00
commits_table.tmpl Fix commit compare style (#26209) (#26226) 2023-07-30 07:46:19 +02:00
create.tmpl Fix incorrect "tabindex" attributes (#26733) (#26734) 2023-09-08 08:07:19 +02:00
create_helper.tmpl Add templates to customize text when creating and migrating repositories 2023-01-24 22:36:48 -05:00
empty.tmpl Fix UI on mobile view (#25315) (#25340) 2023-06-18 13:02:41 +00:00
file_info.tmpl Show if File is Executable (#25287) (#25300) 2023-06-16 09:29:26 +00:00
forks.tmpl Remove fomantic ".link" selector and styles (#23888) 2023-04-03 20:47:23 -04:00
graph.tmpl Replace remaining fontawesome dropdown icons with SVG (#24455) 2023-05-01 05:35:02 -04:00
header.tmpl Clarify "text-align" CSS helpers, fix clone button padding (#25763) (#25764) 2023-07-10 00:19:24 +02:00
home.tmpl Hide add file button for pull mirrors (#25748) (#25751) 2023-07-07 14:12:59 +00:00
icon.tmpl Move helpers to be prefixed with gt- (#22879) 2023-02-13 17:59:59 +00:00
packages.tmpl Add main landmark to templates and adjust titles (#22670) 2023-02-01 22:56:10 +00:00
release_tag_header.tmpl Fix incorrect release count (#25879) (#25887) 2023-07-14 09:32:43 +00:00
search.tmpl Use data-tooltip-content for tippy tooltip (#23649) 2023-03-24 18:35:38 +08:00
search_name.tmpl Clean template/helper.go (#23922) 2023-04-07 03:31:41 -04:00
shabox_badge.tmpl Fix shabox regression (#22924) 2023-02-16 09:37:11 +08:00
sub_menu.tmpl Fix tags header and pretty format numbers (#25624) (#25694) 2023-07-05 07:08:16 +00:00
unicode_escape_prompt.tmpl Clarify "text-align" CSS helpers, fix clone button padding (#25763) (#25764) 2023-07-10 00:19:24 +02:00
upload.tmpl Refactor i18n to locale (#20153) 2022-06-27 15:58:46 -05:00
user_cards.tmpl Change join_on translation to joined_on and include placeholder for the date (#24550) 2023-05-06 18:10:30 +08:00
view_file.tmpl Button and color enhancements (#24989) (#25176) 2023-06-11 02:13:08 +00:00
view_list.tmpl Various UI fixes (#25264) (#25431) 2023-06-22 10:19:38 +00:00
watchers.tmpl Fix user-cards format (#24428) 2023-04-29 15:43:01 -04:00