-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor locale&string&template related code #29165
Conversation
dee6c5d
to
4ae600f
Compare
4ae600f
to
74a09e6
Compare
74a09e6
to
33c6f23
Compare
Wouldn't it be easier to add a |
No, the real problem is that |
Yes, but doesn't this enable XSS attacks? |
I don't understand how this makes things safer, for me it seems less safe… |
Why and how? Do you have an example to break it?
No, every argument is under control now. Every string gets "escaped". |
Yep, I've noticed what you mean by looking further through your PR. |
There is no much difference for the "|Safe" modifier (comparing to before, I think the new approach is indeed better). |
Backport? |
No idea (maybe I slightly prefer no), it doesn't seems easy to backport and usually we don't backport unnecessary refactoring PRs. If most people would like to, I could try. |
Clarify when "string" should be used (and be escaped), and when "template.HTML" should be used (no need to escape) And help PRs like go-gitea#29059 , to render the error messages correctly.
* giteaofficial/main: (23 commits) Remove jQuery from SSH key form parser (go-gitea#29193) Refactor request function (go-gitea#29187) Docker Tag Information in Docs (go-gitea#29047) Fix gitea-action user avatar broken on edited menu (go-gitea#29190) Disable parallel Make execution (go-gitea#29186) Auto-update the system status in admin dashboard (go-gitea#29163) Avoid vue warning in dev mode (go-gitea#29188) Update JS and PY dependencies (go-gitea#29184) [skip ci] Updated translations via Crowdin Implement contributors graph (go-gitea#27882) Add support for action artifact serve direct (go-gitea#29120) Advertise WebAuthn support (go-gitea#29176) Tweak repo header (go-gitea#29134) Change webhook-type in create-view (go-gitea#29114) Remove jQuery from the comment task list (go-gitea#29170) Fix can not select team reviewers when reviewers is empty (go-gitea#29174) move sign in labels to be above inputs (go-gitea#28753) Refactor locale&string&template related code (go-gitea#29165) Extract linguist code to method (go-gitea#29168) bump to use go 1.22 (go-gitea#29119) ...
Follow #29165. * Introduce JSONTemplate to help to render JSON templates * Introduce JSEscapeSafe for templates. Now only use `{{ ... | JSEscape}}` instead of `{{ ... | JSEscape | Safe}}` * Simplify "UserLocationMapURL" useage
Follow #29165. Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Clarify when "string" should be used (and be escaped), and when "template.HTML" should be used (no need to escape) And help PRs like go-gitea#29059 , to render the error messages correctly.
…plates (go-gitea#29227) Follow go-gitea#29165. These HTML strings are safe to be rendered directly, to avoid double-escaping.
Follow go-gitea#29165. * Introduce JSONTemplate to help to render JSON templates * Introduce JSEscapeSafe for templates. Now only use `{{ ... | JSEscape}}` instead of `{{ ... | JSEscape | Safe}}` * Simplify "UserLocationMapURL" useage
Follow go-gitea#29165. Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Follow #29165 * some of them are incorrect, which would lead to double escaping (eg: `(print (Escape $.RepoLink)`) * other of them are not necessary, because `Tr` handles strings&HTML automatically Suggest to review by "unified view": https://github.com/go-gitea/gitea/pull/29394/files?diff=unified&w=0
Clarify when "string" should be used (and be escaped), and when "template.HTML" should be used (no need to escape) And help PRs like go-gitea#29059 , to render the error messages correctly. (cherry picked from commit f3eb835) Conflicts: modules/web/middleware/binding.go routers/web/feed/convert.go tests/integration/branches_test.go tests/integration/repo_branch_test.go trivial context conflicts
…plates (go-gitea#29227) Follow go-gitea#29165. These HTML strings are safe to be rendered directly, to avoid double-escaping. (cherry picked from commit a784ed3)
Follow go-gitea#29165. * Introduce JSONTemplate to help to render JSON templates * Introduce JSEscapeSafe for templates. Now only use `{{ ... | JSEscape}}` instead of `{{ ... | JSEscape | Safe}}` * Simplify "UserLocationMapURL" useage (cherry picked from commit 31bb9f3)
Follow go-gitea#29165. Co-authored-by: KN4CK3R <admin@oldschoolhack.me> (cherry picked from commit 4345cac)
Automatically locked because of our CONTRIBUTING guidelines |
Clarify when "string" should be used (and be escaped), and when "template.HTML" should be used (no need to escape)
And help PRs like #29059 , to render the error messages correctly.
The only possible regression bug is that something on the UI might get double-escaped, which is pretty easy to fix (and I will fix them in first time, as always). Update: if such regression happens, it should be the old code's bug, which needs to be fixed accordingly.