Fix escaping issue in diff (#14153)

Ensure that linecontent is escaped before passing to template.HTML

Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath 2020-12-26 21:58:21 +00:00 committed by GitHub
parent 5a1ccacac7
commit 236e70f135
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -10,6 +10,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"html"
"html/template" "html/template"
"io" "io"
"io/ioutil" "io/ioutil"
@ -164,9 +165,9 @@ func getDiffLineSectionInfo(treePath, line string, lastLeftIdx, lastRightIdx int
// escape a line's content or return <br> needed for copy/paste purposes // escape a line's content or return <br> needed for copy/paste purposes
func getLineContent(content string) string { func getLineContent(content string) string {
if len(content) > 0 { if len(content) > 0 {
return content return html.EscapeString(content)
} }
return "\n" return "<br>"
} }
// DiffSection represents a section of a DiffFile. // DiffSection represents a section of a DiffFile.
@ -357,8 +358,6 @@ func (diffSection *DiffSection) GetComputedInlineDiffFor(diffLine *DiffLine) tem
diffRecord := diffMatchPatch.DiffMain(highlight.Code(diffSection.FileName, diff1[1:]), highlight.Code(diffSection.FileName, diff2[1:]), true) diffRecord := diffMatchPatch.DiffMain(highlight.Code(diffSection.FileName, diff1[1:]), highlight.Code(diffSection.FileName, diff2[1:]), true)
diffRecord = diffMatchPatch.DiffCleanupEfficiency(diffRecord) diffRecord = diffMatchPatch.DiffCleanupEfficiency(diffRecord)
diffRecord = diffMatchPatch.DiffCleanupEfficiency(diffRecord)
return diffToHTML(diffSection.FileName, diffRecord, diffLine.Type) return diffToHTML(diffSection.FileName, diffRecord, diffLine.Type)
} }