Fix escaping issue in diff (#14153)

Ensure that linecontent is escaped before passing to template.HTML Signed-off-by: Andrew Thornton <art27@cantab.net>
2025-11-04 08:30:25 +08:00 · 2020-12-26 21:58:21 +00:00
parent 5a1ccacac7
commit 236e70f135
1 changed files with 3 additions and 4 deletions
--- a/services/gitdiff/gitdiff.go
+++ b/services/gitdiff/gitdiff.go
@@ -10,6 +10,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"html"
 	"html/template"
 	"io"
 	"io/ioutil"
@@ -164,9 +165,9 @@ func getDiffLineSectionInfo(treePath, line string, lastLeftIdx, lastRightIdx int
 // escape a line's content or return <br> needed for copy/paste purposes
 func getLineContent(content string) string {
 	if len(content) > 0 {
-		return content
+		return html.EscapeString(content)
 	}
-	return "\n"
+	return "<br>"
 }

 // DiffSection represents a section of a DiffFile.
@@ -357,8 +358,6 @@ func (diffSection *DiffSection) GetComputedInlineDiffFor(diffLine *DiffLine) tem
 	diffRecord := diffMatchPatch.DiffMain(highlight.Code(diffSection.FileName, diff1[1:]), highlight.Code(diffSection.FileName, diff2[1:]), true)
 	diffRecord = diffMatchPatch.DiffCleanupEfficiency(diffRecord)

-	diffRecord = diffMatchPatch.DiffCleanupEfficiency(diffRecord)
-
 	return diffToHTML(diffSection.FileName, diffRecord, diffLine.Type)
 }