Skip to content

Bad HTML encoding in blames #17492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sibzou opened this issue Oct 30, 2021 · 3 comments · Fixed by #17498
Closed

Bad HTML encoding in blames #17492

sibzou opened this issue Oct 30, 2021 · 3 comments · Fixed by #17498
Labels
issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented type/bug
Milestone
1.15.7

Comments

@sibzou
Copy link

sibzou commented Oct 30, 2021
edited
Loading

Gitea Version

1.15.6

Git Version

2.33.1

Operating System

Arch Linux

How are you running Gitea?

Using gitea official builds from dl.gitea.io/gitea. It's the gitea-1.15.6-linux-amd64 executable.

Database

SQLite

Can you reproduce the bug on the Gitea demo site?

Yes, here : https://try.gitea.io/issuereporter287/repo

Log Gist

No response

Description

Reproduction :

  • create a new repo in the web interface
  • commit a new file in this repo and put special characters in the commit like <, > or '
  • push the commit in gitea
  • look at the new file blame in the web interface

Result : the special characters of the commit text are badly encoded on the blame page.

I tested by commiting <yes> l'apo. It is displayed as &lt;yes&gt; l&#39;apo on the web page.

Screenshots

image
@sibzou
Copy link
Author

sibzou commented Oct 30, 2021

The <a> tag contains &amp;lt;yes&amp;gt; l&amp;#39;apo. It should contain &lt;yes&gt; l&#39;apo. It's the same thing for the title attribute of <a>.

@wxiaoguang
Copy link
Contributor

I think it is a double-encoding bug.

Can you share the existing reproducible URL on try.gitea.io? Then developers can view the bug at first glance.

@sibzou
Copy link
Author

sibzou commented Oct 30, 2021
edited by wxiaoguang
Loading

Yes it is here https://try.gitea.io/issuereporter287/repo .

https://try.gitea.io/issuereporter287/repo/blame/commit/a714ea7288a2a97e5d3112af0c6d336cf4cacf6a/file

@wxiaoguang wxiaoguang added type/bug issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented labels Oct 30, 2021
zeripath added a commit to zeripath/gitea that referenced this issue Oct 31, 2021
@zeripath
Stop double encoding blame commit messages
cb5ba56 
The call to html.EscapeString in routers/web/repo/blame.go:renderBlame is extraneous
as the commit message is now rendered by the template. The template will correctly
escape strings - therefore we are currently double escaping.

This PR fixes this.

Fix go-gitea#17492

Signed-off-by: Andrew Thornton <[email protected]>
@zeripath zeripath mentioned this issue Oct 31, 2021
Merged
lafriks pushed a commit that referenced this issue Oct 31, 2021
@zeripath
Stop double encoding blame commit messages (#17498)
4e8a817 
The call to html.EscapeString in routers/web/repo/blame.go:renderBlame is extraneous
as the commit message is now rendered by the template. The template will correctly
escape strings - therefore we are currently double escaping.

This PR fixes this.

Fix #17492

Signed-off-by: Andrew Thornton <[email protected]>
zeripath added a commit to zeripath/gitea that referenced this issue Oct 31, 2021
@zeripath
Stop double encoding blame commit messages (go-gitea#17498)
0e214c7 
Backport go-gitea#17498

The call to html.EscapeString in routers/web/repo/blame.go:renderBlame is extraneous
as the commit message is now rendered by the template. The template will correctly
escape strings - therefore we are currently double escaping.

This PR fixes this.

Fix go-gitea#17492

Signed-off-by: Andrew Thornton <[email protected]>
@zeripath zeripath mentioned this issue Oct 31, 2021
Merged
wxiaoguang pushed a commit that referenced this issue Oct 31, 2021
@zeripath
Stop double encoding blame commit messages (#17498) (#17500)
9340269 
Backport #17498

The call to html.EscapeString in routers/web/repo/blame.go:renderBlame is extraneous
as the commit message is now rendered by the template. The template will correctly
escape strings - therefore we are currently double escaping.

This PR fixes this.

Fix #17492

Signed-off-by: Andrew Thornton <[email protected]>
@zeripath zeripath added this to the 1.15.7 milestone Oct 31, 2021
Chianina pushed a commit to Chianina/gitea that referenced this issue Mar 28, 2022
@zeripath
Stop double encoding blame commit messages (go-gitea#17498)
4b7abe9 
The call to html.EscapeString in routers/web/repo/blame.go:renderBlame is extraneous
as the commit message is now rendered by the template. The template will correctly
escape strings - therefore we are currently double escaping.

This PR fixes this.

Fix go-gitea#17492

Signed-off-by: Andrew Thornton <[email protected]>
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented type/bug
Projects
None yet
Milestone
1.15.7
Development

Successfully merging a pull request may close this issue.

Stop double encoding blame commit messages zeripath/gitea
3 participants
@zeripath @wxiaoguang @sibzou