diff options
| author | Unknwon <u@gogs.io> | 2017-10-15 00:07:46 -0400 |
|---|---|---|
| committer | Unknwon <u@gogs.io> | 2017-10-15 00:07:46 -0400 |
| commit | b727e0be71647c72124d64108c913e4a5bec156b (patch) | |
| tree | 5d957a700134e4b65c92fc6a43a89f2709d289f7 /templates/repo/editor | |
| parent | ea313d0c1e6e467273bcd44fb1d42ff8e9045454 (diff) | |
SECURITY: fix branch name persistent XSS
Reported by Carl Hattenfels.
Diffstat (limited to 'templates/repo/editor')
| -rw-r--r-- | templates/repo/editor/commit_form.tmpl | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/templates/repo/editor/commit_form.tmpl b/templates/repo/editor/commit_form.tmpl index 6aee9f1d..6ee6300f 100644 --- a/templates/repo/editor/commit_form.tmpl +++ b/templates/repo/editor/commit_form.tmpl @@ -14,7 +14,8 @@ <input type="radio" class="js-quick-pull-choice-option" name="commit_choice" value="direct" {{if eq .commit_choice "direct"}}checked{{end}}> <label> <i class="octicon octicon-git-commit" height="16" width="14"></i> - {{.i18n.Tr "repo.editor.commit_directly_to_this_branch" .BranchName | Safe}} + {{$branchName := .BranchName | Str2html}} + {{.i18n.Tr "repo.editor.commit_directly_to_this_branch" $branchName | Safe}} </label> </div> </div> |