Escape tags and quotes in links.

This commit is contained in:
Justin Nuß 2014-07-22 20:08:04 +02:00
parent e194cf3291
commit 636a78fed1
1 changed files with 8 additions and 1 deletions

View File

@ -8,6 +8,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"html"
"html/template" "html/template"
"os" "os"
"path" "path"
@ -152,7 +153,13 @@ func (repo *Repository) GetOwner() (err error) {
} }
func (repo *Repository) DescriptionHtml() template.HTML { func (repo *Repository) DescriptionHtml() template.HTML {
return template.HTML(DescriptionPattern.ReplaceAllString(repo.Description, `<a href="$0" target="_blank">$0</a>`)) sanitize := func(s string) string {
// TODO(nuss-justin): Improve sanitization. Strip all tags?
ss := html.EscapeString(s)
return fmt.Sprintf(`<a href="%s" target="_blank">%s</a>`, ss, ss)
}
return template.HTML(DescriptionPattern.ReplaceAllStringFunc(repo.Description, sanitize))
} }
// IsRepositoryExist returns true if the repository with given name under user has already existed. // IsRepositoryExist returns true if the repository with given name under user has already existed.