Stop sanitizing full name in API (#17396)
The API convert.toUser function makes the incorrect assumption that full names could be rendered as is without being escaped. It therefore runs the names through markup.Sanitize which leads to a double escape of user full names. This pr stops this. Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
parent
23d36929bc
commit
af96286f22
|
@ -6,7 +6,6 @@ package convert
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"code.gitea.io/gitea/models"
|
"code.gitea.io/gitea/models"
|
||||||
"code.gitea.io/gitea/modules/markup"
|
|
||||||
api "code.gitea.io/gitea/modules/structs"
|
api "code.gitea.io/gitea/modules/structs"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -49,7 +48,7 @@ func toUser(user *models.User, signed, authed bool) *api.User {
|
||||||
result := &api.User{
|
result := &api.User{
|
||||||
ID: user.ID,
|
ID: user.ID,
|
||||||
UserName: user.Name,
|
UserName: user.Name,
|
||||||
FullName: markup.Sanitize(user.FullName),
|
FullName: user.FullName,
|
||||||
Email: user.GetEmail(),
|
Email: user.GetEmail(),
|
||||||
AvatarURL: user.AvatarLink(),
|
AvatarURL: user.AvatarLink(),
|
||||||
Created: user.CreatedUnix.AsTime(),
|
Created: user.CreatedUnix.AsTime(),
|
||||||
|
|
Loading…
Reference in New Issue