Skip to content

Commit bbffcc3

Browse files
authoredNov 16, 2021
Multiple Escaping Improvements (#17551)
There are multiple places where Gitea does not properly escape URLs that it is building and there are multiple places where it builds urls when there is already a simpler function available to use this. This is an extensive PR attempting to fix these issues. 1. The first commit in this PR looks through all href, src and links in the Gitea codebase and has attempted to catch all the places where there is potentially incomplete escaping. 2. Whilst doing this we will prefer to use functions that create URLs over recreating them by hand. 3. All uses of strings should be directly escaped - even if they are not currently expected to contain escaping characters. The main benefit to doing this will be that we can consider relaxing the constraints on user names and reponames in future. 4. The next commit looks at escaping in the wiki and re-considers the urls that are used there. Using the improved escaping here wiki files containing '/'. (This implementation will currently still place all of the wiki files the root directory of the repo but this would not be difficult to change.) 5. The title generation in feeds is now properly escaped. 6. EscapePound is no longer needed - urls should be PathEscaped / QueryEscaped as necessary but then re-escaped with Escape when creating html with locales Signed-off-by: Andrew Thornton <[email protected]> Signed-off-by: Andrew Thornton <[email protected]>
1 parent 7e1ae38 commit bbffcc3

File tree

153 files changed

+891
-712
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

153 files changed

+891
-712
lines changed
 

‎integrations/issue_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@ func TestViewIssuesSortByType(t *testing.T) {
6565
repo := unittest.AssertExistsAndLoadBean(t, &models.Repository{ID: 1}).(*models.Repository)
6666

6767
session := loginUser(t, user.Name)
68-
req := NewRequest(t, "GET", repo.RelLink()+"/issues?type=created_by")
68+
req := NewRequest(t, "GET", repo.Link()+"/issues?type=created_by")
6969
resp := session.MakeRequest(t, req, http.StatusOK)
7070

7171
htmlDoc := NewHTMLParser(t, resp.Body)
@@ -97,7 +97,7 @@ func TestViewIssuesKeyword(t *testing.T) {
9797
issues.UpdateIssueIndexer(issue)
9898
time.Sleep(time.Second * 1)
9999
const keyword = "first"
100-
req := NewRequestf(t, "GET", "%s/issues?q=%s", repo.RelLink(), keyword)
100+
req := NewRequestf(t, "GET", "%s/issues?q=%s", repo.Link(), keyword)
101101
resp := MakeRequest(t, req, http.StatusOK)
102102

103103
htmlDoc := NewHTMLParser(t, resp.Body)

‎integrations/links_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -156,7 +156,7 @@ func testLinksAsUser(userName string, t *testing.T) {
156156
"/releases",
157157
"/releases/new",
158158
//"/wiki/_pages",
159-
"/wiki/_new",
159+
"/wiki/?action=_new",
160160
}
161161

162162
for _, repo := range apiRepos {

0 commit comments

Comments
 (0)