[SECURITY] Fix XSS in dismissed review

- It's possible for reviews to not be assiocated with users, when they were migrated from another forge instance. In the migration code, there's no sanitization check for author names, so they could contain HTML tags and thus needs to be properely escaped. - Pass `$reviewerName` trough `Escape`. (cherry picked from commit fe2df46d05) Conflicts: templates/repo/issue/view_content/comments.tmpl trivial context conflict
2024-05-19 00:38:13 +00:00 · 2024-01-18 00:18:39 +01:00 · 2024-01-18 00:18:39 +01:00 · 4fdd0ed728
parent 37f03e065a
commit 4fdd0ed728
1 changed files with 1 additions and 1 deletions
--- a/templates/repo/issue/view_content/comments.tmpl
+++ b/templates/repo/issue/view_content/comments.tmpl
@ -775,7 +775,7 @@
 						{{else}}
 							{{$reviewerName = .Review.OriginalAuthor}}
 						{{end}}
-						{{$.locale.Tr "repo.issues.review.dismissed" $reviewerName $createdStr | Safe}}
+						<span class="dismissed-message">{{$.locale.Tr "repo.issues.review.dismissed" ($reviewerName | Escape) $createdStr | Safe}}</span>
 					</span>
 				</div>
 				{{if .Content}}