Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: remove str2html from org full name #1360

Merged
merged 2 commits into from
Apr 6, 2017
Merged

fix: remove str2html from org full name #1360

merged 2 commits into from
Apr 6, 2017

Conversation

appleboy
Copy link
Member

@appleboy appleboy commented Mar 22, 2017
edited
Loading

We need to remove str2html from org full name.

screen shot 2017-03-25 at 9 26 16 pm

@lunny lunny added this to the 1.2.0 milestone Mar 22, 2017
@lunny lunny added the type/bug label Mar 22, 2017
@lunny
Copy link
Member

lunny commented Mar 23, 2017

Any security consider?

@tboerger tboerger added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 23, 2017
@appleboy
Copy link
Member Author

@lunny NO

@lunny
Copy link
Member

lunny commented Mar 24, 2017

LGTM

@tboerger tboerger added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Mar 24, 2017
@strk
Copy link
Member

strk commented Mar 25, 2017

I'm confused here. Are we converting the "FullName" field of an organization TO HTML ? Why ? I am assuming that the template framework will strip HTML tags from the input, is that correct ?

@cez81
Copy link
Contributor

cez81 commented Mar 25, 2017

Same problem in tab name, see https://try.gitea.io/Test123

2017-03-25 12_32_23- lt gt amp amp - gitea_ git with a cup of tea

@appleboy
Copy link
Member Author

@lunny @strk I will update this PR for security issue.

@appleboy appleboy changed the title fix: convert org full name using Str2html func. [WIP] fix: convert org full name using Str2html func. Mar 25, 2017
@appleboy appleboy changed the title [WIP] fix: convert org full name using Str2html func. fix: remove str2html from org full name Mar 25, 2017
@appleboy
Copy link
Member Author

@strk @lunny done. I updated origin comments.

@lunny lunny added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Mar 25, 2017
@strk
Copy link
Member

strk commented Mar 25, 2017

Now it makes sense, thank you @appleboy, LGTM

@tboerger tboerger added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Mar 25, 2017
@appleboy
Copy link
Member Author

@lunny Can you confirm this PR again?

@lunny
Copy link
Member

lunny commented Mar 27, 2017

500 when after I changed the org's name to <a href='#'>teets</a> and visit org home page.

@appleboy
Copy link
Member Author

@lunny Can't reproduce 500 error page.

@strk Please help to test again?

@lunny
Copy link
Member

lunny commented Apr 6, 2017

@appleboy I can't reproduce it also. Let's merge this at first.

@lunny lunny merged commit 0cee52e into go-gitea:master Apr 6, 2017
@cez81 cez81 mentioned this pull request Apr 27, 2017
Closed
1 task
@go-gitea go-gitea locked and limited conversation to collaborators Nov 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.2.0
Development

Successfully merging this pull request may close these issues.
5 participants
@appleboy @lunny @strk @cez81 @tboerger