Escape more things that are passed through str2html (#12622)

* Escape more things that are passed through str2html Signed-off-by: Andrew Thornton <art27@cantab.net> * Bloody editors! Co-authored-by: mrsdizzie <info@mrsdizzie.com> * Update routers/user/oauth.go Co-authored-by: mrsdizzie <info@mrsdizzie.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2020-08-28 05:37:05 +01:00 · 2020-08-28 05:37:05 +01:00 · d3b5edacb6
commit d3b5edacb6
parent cbc60f5c70
7 changed files with 18 additions and 17 deletions
--- a/routers/user/oauth.go
+++ b/routers/user/oauth.go
@ -7,6 +7,7 @@ package user
 import (
 	"encoding/base64"
 	"fmt"
+	"html"
 	"net/url"
 	"strings"

@ -271,8 +272,8 @@ func AuthorizeOAuth(ctx *context.Context, form auth.AuthorizationForm) {
 	ctx.Data["Application"] = app
 	ctx.Data["RedirectURI"] = form.RedirectURI
 	ctx.Data["State"] = form.State
-	ctx.Data["ApplicationUserLink"] = "<a href=\"" + setting.AppURL + app.User.LowerName + "\">@" + app.User.Name + "</a>"
-	ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + form.RedirectURI + "</strong>"
+	ctx.Data["ApplicationUserLink"] = "<a href=\"" + html.EscapeString(setting.AppURL) + html.EscapeString(url.PathEscape(app.User.LowerName)) + "\">@" + html.EscapeString(app.User.Name) + "</a>"
+	ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + html.EscapeString(form.RedirectURI) + "</strong>"
 	// TODO document SESSION <=> FORM
 	err = ctx.Session.Set("client_id", app.ClientID)
 	if err != nil {