Skip to content

issues: sanitize DisplayName #7009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 4, 2022
Merged

issues: sanitize DisplayName #7009

merged 3 commits into from
Jun 4, 2022

Conversation

wuhan005
Copy link
Member

@wuhan005 wuhan005 commented Jun 4, 2022
edited
Loading

Describe the pull request

DisplayName allows all the characters from users, which leads to an XSS vulnerability when directly displayed in the issue list.

Link to the issue: https://github.com/gogs/security-issues/issues/1

Checklist

  • I agree to follow the Code of Conduct by submitting this pull request.
  • I have read and acknowledge the Contributing guide.
  • I have added test cases to cover the new code.

@wuhan005 wuhan005 added 💊 bug Something isn't working 🔒 security Categorizes as related to security labels Jun 4, 2022
@wuhan005 wuhan005 changed the title issues: display issue poster’s Name instead of DisplayName issues: display poster’s Name instead of DisplayName Jun 4, 2022
@wuhan005 wuhan005 requested a review from a team June 4, 2022 12:24
unknwon
unknwon reviewed Jun 4, 2022
View reviewed changes
unknwon
unknwon requested changes Jun 4, 2022
View reviewed changes
Copy link
Member

@unknwon unknwon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also add a changelog entry.

@unknwon unknwon added this to the 0.12.9 milestone Jun 4, 2022
@wuhan005 wuhan005 changed the title issues: display poster’s Name instead of DisplayName issues: sanitize DisplayName Jun 4, 2022
@wuhan005 wuhan005 requested a review from unknwon June 4, 2022 15:28
@wuhan005 wuhan005 merged commit 155cae1 into main Jun 4, 2022
@wuhan005 wuhan005 deleted the wh/issues/fix-xss branch June 4, 2022 16:53
unknwon pushed a commit that referenced this pull request Jun 7, 2022
@wuhan005 @unknwon
issues: sanitize DisplayName (#7009)
4c02b48 
* issues: display issue poster’s `Name` instead of `DisplayName`

* sanitize display name

* update changelog
@jba jba mentioned this pull request Jun 9, 2022
Open
@GoVulnBot GoVulnBot mentioned this pull request Jun 9, 2022
Closed
dna2github pushed a commit to dna2fork/gogs that referenced this pull request May 1, 2023
@wuhan005 @dna2github
issues: sanitize DisplayName (gogs#7009)
69c038b 
* issues: display issue poster’s `Name` instead of `DisplayName`

* sanitize display name

* update changelog
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 5, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@unknwon unknwon unknwon approved these changes

Assignees
No one assigned
Labels
💊 bug Something isn't working 🔒 security Categorizes as related to security
Projects
None yet
Milestone
0.12.9
Development

Successfully merging this pull request may close these issues.
2 participants
@wuhan005 @unknwon
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy