Escape tags and quotes in links.

This commit is contained in:
Justin Nuß 2014-07-22 20:08:04 +02:00
parent e194cf3291
commit 636a78fed1

View File

@ -8,6 +8,7 @@ import (
"errors"
"fmt"
"io/ioutil"
"html"
"html/template"
"os"
"path"
@ -152,7 +153,13 @@ func (repo *Repository) GetOwner() (err error) {
}
func (repo *Repository) DescriptionHtml() template.HTML {
return template.HTML(DescriptionPattern.ReplaceAllString(repo.Description, `<a href="$0" target="_blank">$0</a>`))
sanitize := func(s string) string {
// TODO(nuss-justin): Improve sanitization. Strip all tags?
ss := html.EscapeString(s)
return fmt.Sprintf(`<a href="%s" target="_blank">%s</a>`, ss, ss)
}
return template.HTML(DescriptionPattern.ReplaceAllStringFunc(repo.Description, sanitize))
}
// IsRepositoryExist returns true if the repository with given name under user has already existed.