From 1e23ee1c80e82bc2dd63372297b2678a658a9594 Mon Sep 17 00:00:00 2001
From: nickolas360 <1058877+nickolas360@users.noreply.github.com>
Date: Fri, 8 Jun 2018 16:22:51 -0700
Subject: [PATCH] HTML-escape text READMEs

---
 routers/repo/view.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/routers/repo/view.go b/routers/repo/view.go
index d2efe30096733..4f1deeae40cd8 100644
--- a/routers/repo/view.go
+++ b/routers/repo/view.go
@@ -105,7 +105,9 @@ func renderDirectory(ctx *context.Context, treeLink string) {
 					ctx.Data["FileContent"] = string(markup.Render(readmeFile.Name(), buf, treeLink, ctx.Repo.Repository.ComposeMetas()))
 				} else {
 					ctx.Data["IsRenderedHTML"] = true
-					ctx.Data["FileContent"] = string(bytes.Replace(buf, []byte("\n"), []byte(`<br>`), -1))
+					ctx.Data["FileContent"] = strings.Replace(
+						gotemplate.HTMLEscapeString(string(buf)), "\n", `<br>`, -1,
+					)
 				}
 			}
 		}
@@ -208,7 +210,9 @@ func renderFile(ctx *context.Context, entry *git.TreeEntry, treeLink, rawLink st
 			ctx.Data["FileContent"] = string(markup.Render(blob.Name(), buf, path.Dir(treeLink), ctx.Repo.Repository.ComposeMetas()))
 		} else if readmeExist {
 			ctx.Data["IsRenderedHTML"] = true
-			ctx.Data["FileContent"] = string(bytes.Replace(buf, []byte("\n"), []byte(`<br>`), -1))
+			ctx.Data["FileContent"] = strings.Replace(
+				gotemplate.HTMLEscapeString(string(buf)), "\n", `<br>`, -1,
+			)
 		} else {
 			// Building code view blocks with line number on server side.
 			var fileContent string