mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-19 12:52:11 +03:00
d24c37e132
- On the wiki and revisions page, information is shown about the last commit that modified that wiki page. This includes the time it was last edited and by whom. That whole string is not being sanitized (passed trough `Safe` in the templates), because the last edited bit is formatted as an HTML element and thus shouldn't be sanitized. The problem with this is that now `.Author.Name` is not being sanitized. - This can be exploited, the names of authors and commiters on a Git commit is user controlled, they can be any value and thus also include HTML. It's not easy to actually exploit this, as you cannot use the official git binary to do use, as they actually strip `<` and `>` from user names (trivia: this behaviour was introduced in the initial commit of Git). In the integration testing, go-git actually has to generate this commit as they don't have such restrictions. - Pass `.Author.Name` trough `Escape` in order to be sanitized.
115 lines
4.6 KiB
Go HTML Template
115 lines
4.6 KiB
Go HTML Template
{{template "base/head" .}}
|
|
<div role="main" aria-label="{{.Title}}" class="page-content repository wiki view">
|
|
{{template "repo/header" .}}
|
|
{{$title := .title}}
|
|
<div class="ui container">
|
|
<div class="repo-button-row">
|
|
<div class="gt-df gt-ac">
|
|
<div class="ui floating filter dropdown" data-no-results="{{ctx.Locale.Tr "repo.pulls.no_results"}}">
|
|
<div class="ui basic small button">
|
|
<span class="text">
|
|
{{ctx.Locale.Tr "repo.wiki.page"}}:
|
|
<strong>{{$title}}</strong>
|
|
</span>
|
|
{{svg "octicon-triangle-down" 14 "dropdown icon"}}
|
|
</div>
|
|
<div class="menu">
|
|
<div class="ui icon search input">
|
|
<i class="icon">{{svg "octicon-filter" 16}}</i>
|
|
<input name="search" placeholder="{{ctx.Locale.Tr "repo.wiki.filter_page"}}...">
|
|
</div>
|
|
<div class="scrolling menu">
|
|
<a class="item muted" href="{{.RepoLink}}/wiki/?action=_pages">{{ctx.Locale.Tr "repo.wiki.pages"}}</a>
|
|
<div class="divider"></div>
|
|
{{range .Pages}}
|
|
<a class="item {{if eq $.Title .Name}}selected{{end}}" href="{{$.RepoLink}}/wiki/{{.SubURL}}">{{.Name}}</a>
|
|
{{end}}
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<div class="ui action small input gt-df gt-ac" id="clone-panel">
|
|
{{template "repo/clone_buttons" .}}
|
|
{{template "repo/clone_script" .}}
|
|
</div>
|
|
</div>
|
|
<div class="ui dividing header">
|
|
<div class="ui stackable grid">
|
|
<div class="eight wide column">
|
|
<a class="file-revisions-btn ui basic button" title="{{ctx.Locale.Tr "repo.wiki.file_revision"}}" href="{{.RepoLink}}/wiki/{{.PageURL}}?action=_revision" ><span>{{.CommitCount}}</span> {{svg "octicon-history"}}</a>
|
|
{{$title}}
|
|
<div class="ui sub header">
|
|
{{$timeSince := TimeSince .Author.When ctx.Locale}}
|
|
{{ctx.Locale.Tr "repo.wiki.last_commit_info" (.Author.Name | Escape) $timeSince | Safe}}
|
|
</div>
|
|
</div>
|
|
<div class="eight wide right aligned column">
|
|
{{if .EscapeStatus.Escaped}}
|
|
<a class="ui small button unescape-button gt-hidden">{{ctx.Locale.Tr "repo.unescape_control_characters"}}</a>
|
|
<a class="ui small button escape-button">{{ctx.Locale.Tr "repo.escape_control_characters"}}</a>
|
|
{{end}}
|
|
{{if and .CanWriteWiki (not .Repository.IsMirror)}}
|
|
<div class="ui right">
|
|
<a class="ui small button" href="{{.RepoLink}}/wiki/{{.PageURL}}?action=_edit">{{ctx.Locale.Tr "repo.wiki.edit_page_button"}}</a>
|
|
<a class="ui small primary button" href="{{.RepoLink}}/wiki?action=_new">{{ctx.Locale.Tr "repo.wiki.new_page_button"}}</a>
|
|
<a class="ui small red button delete-button" href="" data-url="{{.RepoLink}}/wiki/{{.PageURL}}?action=_delete" data-id="{{.PageURL}}">{{ctx.Locale.Tr "repo.wiki.delete_page_button"}}</a>
|
|
</div>
|
|
{{end}}
|
|
</div>
|
|
</div>
|
|
</div>
|
|
{{if .FormatWarning}}
|
|
<div class="ui negative message">
|
|
<p>{{.FormatWarning}}</p>
|
|
</div>
|
|
{{end}}
|
|
|
|
<div class="wiki-content-parts">
|
|
{{if .sidebarTocContent}}
|
|
<div class="markup wiki-content-sidebar wiki-content-toc">
|
|
{{.sidebarTocContent | Safe}}
|
|
</div>
|
|
{{end}}
|
|
|
|
<div class="markup wiki-content-main {{if or .sidebarTocContent .sidebarPresent}}with-sidebar{{end}}">
|
|
{{template "repo/unicode_escape_prompt" dict "EscapeStatus" .EscapeStatus "root" $}}
|
|
{{.content | Safe}}
|
|
</div>
|
|
|
|
{{if .sidebarPresent}}
|
|
<div class="markup wiki-content-sidebar">
|
|
{{if and .CanWriteWiki (not .Repository.IsMirror)}}
|
|
<a class="gt-float-right muted" href="{{.RepoLink}}/wiki/_Sidebar?action=_edit" aria-label="{{ctx.Locale.Tr "repo.wiki.edit_page_button"}}">{{svg "octicon-pencil"}}</a>
|
|
{{end}}
|
|
{{template "repo/unicode_escape_prompt" dict "EscapeStatus" .sidebarEscapeStatus "root" $}}
|
|
{{.sidebarContent | Safe}}
|
|
</div>
|
|
{{end}}
|
|
|
|
<div class="gt-clear-both"></div>
|
|
|
|
{{if .footerPresent}}
|
|
<div class="markup wiki-content-footer">
|
|
{{if and .CanWriteWiki (not .Repository.IsMirror)}}
|
|
<a class="gt-float-right muted" href="{{.RepoLink}}/wiki/_Footer?action=_edit" aria-label="{{ctx.Locale.Tr "repo.wiki.edit_page_button"}}">{{svg "octicon-pencil"}}</a>
|
|
{{end}}
|
|
{{template "repo/unicode_escape_prompt" dict "footerEscapeStatus" .sidebarEscapeStatus "root" $}}
|
|
{{.footerContent | Safe}}
|
|
</div>
|
|
{{end}}
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<div class="ui g-modal-confirm delete modal">
|
|
<div class="header">
|
|
{{svg "octicon-trash"}}
|
|
{{ctx.Locale.Tr "repo.wiki.delete_page_button"}}
|
|
</div>
|
|
<div class="content">
|
|
<p>{{ctx.Locale.Tr "repo.wiki.delete_page_notice_1" ($title|Escape) | Safe}}</p>
|
|
</div>
|
|
{{template "base/modal_actions_confirm" .}}
|
|
</div>
|
|
|
|
{{template "base/footer" .}}
|