diff --git a/routers/web/repo/view.go b/routers/web/repo/view.go
index fa4eb6d61f2cd..28cc9d1341506 100644
--- a/routers/web/repo/view.go
+++ b/routers/web/repo/view.go
@@ -528,13 +528,15 @@ func renderFile(ctx *context.Context, entry *git.TreeEntry, treeLink, rawLink st
// to prevent iframe load third-party url
ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'")
} else if readmeExist && !shouldRenderSource {
- buf := &bytes.Buffer{}
ctx.Data["IsRenderedHTML"] = true
- ctx.Data["EscapeStatus"], _ = charset.EscapeControlReader(rd, buf, ctx.Locale)
+ buf, _ := io.ReadAll(rd)
+
+ // Do render a EscapeStatus, but don't render escaped HTML as it's plain text.
+ ctx.Data["EscapeStatus"], _ = charset.EscapeControlReader(bytes.NewReader(buf), io.Discard, ctx.Locale)
ctx.Data["FileContent"] = strings.ReplaceAll(
- gotemplate.HTMLEscapeString(buf.String()), "\n", `
`,
+ gotemplate.HTMLEscapeString(string(buf)), "\n", `
`,
)
} else {
buf, _ := io.ReadAll(rd)