SECURITY: HTML injection in user search API

Reported by Tim Hawes.

1 files changed, 2 insertions, 1 deletions

diff --git a/routes/api/v1/user/user.go b/routes/api/v1/user/user.go
index dbf727de..8326eea5 100644
--- a/routes/api/v1/user/user.go
+++ b/routes/api/v1/user/user.go
@@ -12,6 +12,7 @@ import (
 	"github.com/gogits/gogs/models"
 	"github.com/gogits/gogs/models/errors"
 	"github.com/gogits/gogs/pkg/context"
+	"github.com/gogits/gogs/pkg/markup"
 )
 
 func Search(c *context.APIContext) {
@@ -39,7 +40,7 @@ func Search(c *context.APIContext) {
 			ID:        users[i].ID,
 			UserName:  users[i].Name,
 			AvatarUrl: users[i].AvatarLink(),
-			FullName:  users[i].FullName,
+			FullName:  markup.Sanitize(users[i].FullName),
 		}
 		if c.IsLogged {
 			results[i].Email = users[i].Email