From 263d4093260707c6249eecb52ad52a0205e61351 Mon Sep 17 00:00:00 2001
From: Unknwon <joe2010xtmf@163.com>
Date: Sat, 4 Oct 2014 17:15:22 -0400
Subject: Basic xss prevention

---
 models/repo.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'models')

diff --git a/models/repo.go b/models/repo.go
index a79c2491..8e29b335 100644
--- a/models/repo.go
+++ b/models/repo.go
@@ -23,6 +23,7 @@ import (
 	"github.com/Unknwon/cae/zip"
 	"github.com/Unknwon/com"
 
+	"github.com/gogits/gogs/modules/base"
 	"github.com/gogits/gogs/modules/git"
 	"github.com/gogits/gogs/modules/log"
 	"github.com/gogits/gogs/modules/process"
@@ -48,7 +49,7 @@ var (
 )
 
 var (
-	DescriptionPattern = regexp.MustCompile(`https?://\S+`)
+	DescPattern = regexp.MustCompile(`https?://\S+`)
 )
 
 func LoadRepoConfig() {
@@ -181,7 +182,7 @@ func (repo *Repository) DescriptionHtml() template.HTML {
 		ss := html.EscapeString(s)
 		return fmt.Sprintf(`<a href="%s" target="_blank">%s</a>`, ss, ss)
 	}
-	return template.HTML(DescriptionPattern.ReplaceAllStringFunc(repo.Description, sanitize))
+	return template.HTML(DescPattern.ReplaceAllStringFunc(base.XSSString(repo.Description), sanitize))
 }
 
 // IsRepositoryExist returns true if the repository with given name under user has already existed.
-- 
cgit v1.2.3