Fix possible xss bug

2024-02-25 13:19:39 +08:00 · 2024-02-25 13:19:39 +08:00 · 09be5ac173
parent 0be30d9e3a
commit 09be5ac173
1 changed files with 2 additions and 2 deletions
--- a/templates/repo/issue/view_content/comments.tmpl
+++ b/templates/repo/issue/view_content/comments.tmpl
@ -619,12 +619,12 @@
 				{{template "shared/user/avatarlink" dict "user" .Poster}}
 				<span class="text grey muted-links">
 					{{template "shared/user/authorlink" .Poster}}
-					{{$newProjectDisplayHtml := .CommentMetaData.ProjectTitle|Safe}}
+					{{$newProjectDisplayHtml := .CommentMetaData.ProjectTitle}}
 					{{if .Project}}
 						{{$trKey := printf "projects.type-%d.display_name" .Project.Type}}
 						{{$newProjectDisplayHtml = printf `%s <a href="%s"><span data-tooltip-content="%s">%s</span></a>` (svg .Project.IconName) (.Project.Link ctx) (ctx.Locale.Tr $trKey | Escape) (.Project.Title | Escape)}}
 					{{end}}
-					{{ctx.Locale.Tr "repo.issues.move_to_column_of_project" (.CommentMetaData.ProjectColumnTitle|Safe) ($newProjectDisplayHtml|Safe) $createdStr}}
+					{{ctx.Locale.Tr "repo.issues.move_to_column_of_project" (.CommentMetaData.ProjectColumnTitle|Escape) ($newProjectDisplayHtml|Safe) $createdStr}}
 				</span>
 			</div>
 			{{end}}