From ea313d0c1e6e467273bcd44fb1d42ff8e9045454 Mon Sep 17 00:00:00 2001
From: Unknwon <u@gogs.io>
Date: Sat, 14 Oct 2017 23:53:20 -0400
Subject: SECURITY: HTML injection in user search API

Reported by Tim Hawes.
---
 routes/api/v1/user/user.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'routes/api/v1/user/user.go')

diff --git a/routes/api/v1/user/user.go b/routes/api/v1/user/user.go
index dbf727de..8326eea5 100644
--- a/routes/api/v1/user/user.go
+++ b/routes/api/v1/user/user.go
@@ -12,6 +12,7 @@ import (
 	"github.com/gogits/gogs/models"
 	"github.com/gogits/gogs/models/errors"
 	"github.com/gogits/gogs/pkg/context"
+	"github.com/gogits/gogs/pkg/markup"
 )
 
 func Search(c *context.APIContext) {
@@ -39,7 +40,7 @@ func Search(c *context.APIContext) {
 			ID:        users[i].ID,
 			UserName:  users[i].Name,
 			AvatarUrl: users[i].AvatarLink(),
-			FullName:  users[i].FullName,
+			FullName:  markup.Sanitize(users[i].FullName),
 		}
 		if c.IsLogged {
 			results[i].Email = users[i].Email
-- 
cgit v1.2.3