[SECURITY] Fix XSS in dismissed review

- It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.
- Pass `$reviewerName` trough `Escape`.

(cherry picked from commit fe2df46d05)

Conflicts:
	templates/repo/issue/view_content/comments.tmpl
	trivial context conflict
This commit is contained in:
Gusted 2024-01-18 00:18:39 +01:00 committed by Earl Warren
parent 37f03e065a
commit 4fdd0ed728
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00

View file

@ -775,7 +775,7 @@
{{else}} {{else}}
{{$reviewerName = .Review.OriginalAuthor}} {{$reviewerName = .Review.OriginalAuthor}}
{{end}} {{end}}
{{$.locale.Tr "repo.issues.review.dismissed" $reviewerName $createdStr | Safe}} <span class="dismissed-message">{{$.locale.Tr "repo.issues.review.dismissed" ($reviewerName | Escape) $createdStr | Safe}}</span>
</span> </span>
</div> </div>
{{if .Content}} {{if .Content}}