From 4fdd0ed7282406cf245c922a7962ee75f8e74486 Mon Sep 17 00:00:00 2001
From: Gusted <postmaster@gusted.xyz>
Date: Thu, 18 Jan 2024 00:18:39 +0100
Subject: [PATCH] [SECURITY] Fix XSS in dismissed review

- It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.
- Pass `$reviewerName` trough `Escape`.

(cherry picked from commit fe2df46d053b3a06c30c9221899707d3b26c3013)

Conflicts:
	templates/repo/issue/view_content/comments.tmpl
	trivial context conflict
---
 templates/repo/issue/view_content/comments.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/repo/issue/view_content/comments.tmpl b/templates/repo/issue/view_content/comments.tmpl
index e371df14dc..77ab603fff 100644
--- a/templates/repo/issue/view_content/comments.tmpl
+++ b/templates/repo/issue/view_content/comments.tmpl
@@ -775,7 +775,7 @@
 						{{else}}
 							{{$reviewerName = .Review.OriginalAuthor}}
 						{{end}}
-						{{$.locale.Tr "repo.issues.review.dismissed" $reviewerName $createdStr | Safe}}
+						<span class="dismissed-message">{{$.locale.Tr "repo.issues.review.dismissed" ($reviewerName | Escape) $createdStr | Safe}}</span>
 					</span>
 				</div>
 				{{if .Content}}