From 91ee3be58868eca4cf678932535dd721d591e06e Mon Sep 17 00:00:00 2001 From: zeripath Date: Fri, 12 Mar 2021 04:43:04 +0000 Subject: [PATCH] Prevent incorrect HTML escaping in swagger.json (#14957) * Prevent incorrect HTML escaping in swagger.json Fix #14706 Signed-off-by: Andrew Thornton * oops add it to the helper Signed-off-by: Andrew Thornton * try again Signed-off-by: Andrew Thornton Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick --- Makefile | 4 ++-- modules/templates/helper.go | 6 ++++++ routers/api/v1/api.go | 2 +- templates/swagger/v1_json.tmpl | 4 ++-- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 889ec2d3ff..00bdbab259 100644 --- a/Makefile +++ b/Makefile @@ -127,8 +127,8 @@ GO_SOURCES_OWN := $(filter-out vendor/% %/bindata.go, $(GO_SOURCES)) #To update swagger use: GO111MODULE=on go get -u github.com/go-swagger/go-swagger/cmd/swagger SWAGGER := $(GO) run -mod=vendor github.com/go-swagger/go-swagger/cmd/swagger SWAGGER_SPEC := templates/swagger/v1_json.tmpl -SWAGGER_SPEC_S_TMPL := s|"basePath": *"/api/v1"|"basePath": "{{AppSubUrl}}/api/v1"|g -SWAGGER_SPEC_S_JSON := s|"basePath": *"{{AppSubUrl}}/api/v1"|"basePath": "/api/v1"|g +SWAGGER_SPEC_S_TMPL := s|"basePath": *"/api/v1"|"basePath": "{{AppSubUrl \| JSEscape \| Safe}}/api/v1"|g +SWAGGER_SPEC_S_JSON := s|"basePath": *"{{AppSubUrl \| JSEscape \| Safe}}/api/v1"|"basePath": "/api/v1"|g SWAGGER_EXCLUDE := code.gitea.io/sdk SWAGGER_NEWLINE_COMMAND := -e '$$a\' diff --git a/modules/templates/helper.go b/modules/templates/helper.go index ab66cc7282..7e33f26209 100644 --- a/modules/templates/helper.go +++ b/modules/templates/helper.go @@ -92,6 +92,7 @@ func NewFuncMap() []template.FuncMap { }, "Safe": Safe, "SafeJS": SafeJS, + "JSEscape": JSEscape, "Str2html": Str2html, "TimeSince": timeutil.TimeSince, "TimeSinceUnix": timeutil.TimeSinceUnix, @@ -629,6 +630,11 @@ func Escape(raw string) string { return html.EscapeString(raw) } +// JSEscape escapes a JS string +func JSEscape(raw string) string { + return template.JSEscapeString(raw) +} + // List traversings the list func List(l *list.List) chan interface{} { e := l.Front() diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go index 57bcdf49f6..60c4f6d790 100644 --- a/routers/api/v1/api.go +++ b/routers/api/v1/api.go @@ -9,7 +9,7 @@ // // Schemes: http, https // BasePath: /api/v1 -// Version: {{AppVer}} +// Version: {{AppVer | JSEscape | Safe}} // License: MIT http://opensource.org/licenses/MIT // // Consumes: diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl index 930af907ea..d44583b816 100644 --- a/templates/swagger/v1_json.tmpl +++ b/templates/swagger/v1_json.tmpl @@ -19,9 +19,9 @@ "name": "MIT", "url": "http://opensource.org/licenses/MIT" }, - "version": "{{AppVer}}" + "version": "{{AppVer | JSEscape | Safe}}" }, - "basePath": "{{AppSubUrl}}/api/v1", + "basePath": "{{AppSubUrl | JSEscape | Safe}}/api/v1", "paths": { "/admin/cron": { "get": {