From caadd1815a0343ae9c070e7befb6b40cf868c18e Mon Sep 17 00:00:00 2001 From: Earl Warren <contact@earl-warren.org> Date: Wed, 5 Jun 2024 15:42:50 +0200 Subject: [PATCH] fix(oauth): HTML snippets in templates can be displayed These changes were missed when cherry-picking the following c9d0e63c202827756c637d9ca7bbde685c1984b7 Remove unnecessary "Str2html" modifier from templates (#29319) Fixes: https://codeberg.org/forgejo/forgejo/issues/3623 --- routers/web/auth/oauth.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index 72473701de..c33c8029ce 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -10,6 +10,7 @@ import ( "errors" "fmt" "html" + "html/template" "io" "net/http" "net/url" @@ -502,11 +503,11 @@ func AuthorizeOAuth(ctx *context.Context) { ctx.Data["Scope"] = form.Scope ctx.Data["Nonce"] = form.Nonce if user != nil { - ctx.Data["ApplicationCreatorLinkHTML"] = fmt.Sprintf(`<a href="%s">@%s</a>`, html.EscapeString(user.HomeLink()), html.EscapeString(user.Name)) + ctx.Data["ApplicationCreatorLinkHTML"] = template.HTML(fmt.Sprintf(`<a href="%s">@%s</a>`, html.EscapeString(user.HomeLink()), html.EscapeString(user.Name))) } else { - ctx.Data["ApplicationCreatorLinkHTML"] = fmt.Sprintf(`<a href="%s">%s</a>`, html.EscapeString(setting.AppSubURL+"/"), html.EscapeString(setting.AppName)) + ctx.Data["ApplicationCreatorLinkHTML"] = template.HTML(fmt.Sprintf(`<a href="%s">%s</a>`, html.EscapeString(setting.AppSubURL+"/"), html.EscapeString(setting.AppName))) } - ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + html.EscapeString(form.RedirectURI) + "</strong>" + ctx.Data["ApplicationRedirectDomainHTML"] = template.HTML("<strong>" + html.EscapeString(form.RedirectURI) + "</strong>") // TODO document SESSION <=> FORM err = ctx.Session.Set("client_id", app.ClientID) if err != nil {