From 206b66a18467690b973bb159c3054dab3e96598a Mon Sep 17 00:00:00 2001 From: zeripath Date: Sat, 26 Dec 2020 22:15:42 +0000 Subject: [PATCH] Fix escaping issue in diff (#14154) Ensure that linecontent is escaped before passing to template.HTML Signed-off-by: Andrew Thornton --- services/gitdiff/gitdiff.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/services/gitdiff/gitdiff.go b/services/gitdiff/gitdiff.go index 79cd16e193..81b92f7168 100644 --- a/services/gitdiff/gitdiff.go +++ b/services/gitdiff/gitdiff.go @@ -10,6 +10,7 @@ import ( "bytes" "context" "fmt" + "html" "html/template" "io" "io/ioutil" @@ -164,9 +165,9 @@ func getDiffLineSectionInfo(treePath, line string, lastLeftIdx, lastRightIdx int // escape a line's content or return
needed for copy/paste purposes func getLineContent(content string) string { if len(content) > 0 { - return content + return html.EscapeString(content) } - return "\n" + return "
" } // DiffSection represents a section of a DiffFile. @@ -357,8 +358,6 @@ func (diffSection *DiffSection) GetComputedInlineDiffFor(diffLine *DiffLine) tem diffRecord := diffMatchPatch.DiffMain(highlight.Code(diffSection.FileName, diff1[1:]), highlight.Code(diffSection.FileName, diff2[1:]), true) diffRecord = diffMatchPatch.DiffCleanupEfficiency(diffRecord) - diffRecord = diffMatchPatch.DiffCleanupEfficiency(diffRecord) - return diffToHTML(diffSection.FileName, diffRecord, diffLine.Type) }