From ab22327e062840c99327fc68c93004f5b1d6ca00 Mon Sep 17 00:00:00 2001 From: wxiaoguang Date: Sun, 25 Feb 2024 13:47:25 +0800 Subject: [PATCH] fix --- modules/templates/helper.go | 31 ++++++++++++++++--- templates/admin/packages/list.tmpl | 2 +- templates/admin/repo/list.tmpl | 2 +- templates/admin/stacktrace.tmpl | 2 +- templates/mail/issue/assigned.tmpl | 8 ++--- templates/mail/issue/default.tmpl | 8 ++--- templates/mail/notify/repo_transfer.tmpl | 4 +-- templates/mail/release.tmpl | 6 ++-- templates/org/member/members.tmpl | 4 +-- templates/org/team/members.tmpl | 2 +- templates/org/team/sidebar.tmpl | 2 +- templates/org/team/teams.tmpl | 2 +- templates/repo/commit_page.tmpl | 4 +-- templates/repo/editor/cherry_pick.tmpl | 6 ++-- .../repo/issue/view_content/comments.tmpl | 14 ++++----- templates/repo/issue/view_content/pull.tmpl | 2 +- templates/repo/issue/view_title.tmpl | 18 +++++------ templates/repo/settings/lfs_file.tmpl | 4 +-- templates/repo/settings/webhook/settings.tmpl | 2 +- templates/repo/wiki/view.tmpl | 8 ++--- templates/user/settings/organization.tmpl | 2 +- 21 files changed, 77 insertions(+), 56 deletions(-) diff --git a/modules/templates/helper.go b/modules/templates/helper.go index 691f7547488db..4eaf738c85ea6 100644 --- a/modules/templates/helper.go +++ b/modules/templates/helper.go @@ -9,6 +9,7 @@ import ( "html" "html/template" "net/url" + "slices" "strings" "time" @@ -34,7 +35,7 @@ func NewFuncMap() template.FuncMap { // html/template related functions "dict": dict, // it's lowercase because this name has been widely used. Our other functions should have uppercase names. "Eval": Eval, - "Safe": Safe, + "HTML": HTMLFormat, "Escape": Escape, "QueryEscape": url.QueryEscape, "JSEscape": JSEscapeSafe, @@ -177,13 +178,33 @@ func NewFuncMap() template.FuncMap { } } -// Safe render raw as HTML -func Safe(s any) template.HTML { +func htmlFormat(s string, rawArgs ...any) template.HTML { + if len(rawArgs) == 0 { + return template.HTML(s) + } + args := slices.Clone(rawArgs) + for i, v := range args { + switch v := v.(type) { + case nil, bool, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64, float32, float64, template.HTML: + // for most basic types (including template.HTML which is safe), just do nothing and use it + case string: + args[i] = template.HTMLEscapeString(v) + case fmt.Stringer: + args[i] = template.HTMLEscapeString(v.String()) + default: + args[i] = template.HTMLEscapeString(fmt.Sprint(v)) + } + } + return template.HTML(fmt.Sprintf(s, args...)) +} + +// HTMLFormat render raw as HTML +func HTMLFormat(s any, args ...any) template.HTML { switch v := s.(type) { case string: - return template.HTML(v) + return htmlFormat(v, args...) case template.HTML: - return v + return htmlFormat(string(v), args...) } panic(fmt.Sprintf("unexpected type %T", s)) } diff --git a/templates/admin/packages/list.tmpl b/templates/admin/packages/list.tmpl index 04f76748d081f..891e370a8a1f9 100644 --- a/templates/admin/packages/list.tmpl +++ b/templates/admin/packages/list.tmpl @@ -88,7 +88,7 @@ {{ctx.Locale.Tr "packages.settings.delete"}}
- {{ctx.Locale.Tr "packages.settings.delete.notice" (``|Safe) (``|Safe)}} + {{ctx.Locale.Tr "packages.settings.delete.notice" (``|HTML) (``|HTML)}}
{{template "base/modal_actions_confirm" .}} diff --git a/templates/admin/repo/list.tmpl b/templates/admin/repo/list.tmpl index c7a6ec7e4e9f8..9bb7e6983100d 100644 --- a/templates/admin/repo/list.tmpl +++ b/templates/admin/repo/list.tmpl @@ -101,7 +101,7 @@

{{ctx.Locale.Tr "repo.settings.delete_desc"}}

- {{ctx.Locale.Tr "repo.settings.delete_notices_2" (``|Safe)}}
+ {{ctx.Locale.Tr "repo.settings.delete_notices_2" (``|HTML)}}
{{ctx.Locale.Tr "repo.settings.delete_notices_fork_1"}}
{{template "base/modal_actions_confirm" .}} diff --git a/templates/admin/stacktrace.tmpl b/templates/admin/stacktrace.tmpl index aa5e810cd780d..a6b4b9706535d 100644 --- a/templates/admin/stacktrace.tmpl +++ b/templates/admin/stacktrace.tmpl @@ -39,7 +39,7 @@ {{ctx.Locale.Tr "admin.monitor.process.cancel"}}
-

{{ctx.Locale.Tr "admin.monitor.process.cancel_notices" (``|Safe)}}

+

{{ctx.Locale.Tr "admin.monitor.process.cancel_notices" (``|HTML)}}

{{ctx.Locale.Tr "admin.monitor.process.cancel_desc"}}

{{template "base/modal_actions_confirm" .}} diff --git a/templates/mail/issue/assigned.tmpl b/templates/mail/issue/assigned.tmpl index e80bd2fc31c1a..e3e731c483592 100644 --- a/templates/mail/issue/assigned.tmpl +++ b/templates/mail/issue/assigned.tmpl @@ -8,14 +8,14 @@ {{.Subject}} -{{$repo_url := printf "%s" (Escape .Issue.Repo.HTMLURL) (Escape .Issue.Repo.FullName)}} -{{$link := printf "#%d" (Escape .Link) .Issue.Index}} +{{$repo_url := HTML "%s" .Issue.Repo.HTMLURL Escape .Issue.Repo.FullName}} +{{$link := HTML "#%d" .Link .Issue.Index}}

{{if .IsPull}} - {{.locale.Tr "mail.issue_assigned.pull" .Doer.Name ($link|Safe) ($repo_url|Safe)}} + {{.locale.Tr "mail.issue_assigned.pull" .Doer.Name $link $repo_url}} {{else}} - {{.locale.Tr "mail.issue_assigned.issue" .Doer.Name ($link|Safe) ($repo_url|Safe)}} + {{.locale.Tr "mail.issue_assigned.issue" .Doer.Name $link $repo_url}} {{end}}

diff --git a/templates/mail/issue/default.tmpl b/templates/mail/issue/default.tmpl index 54ae726d71d25..19b74c4686d66 100644 --- a/templates/mail/issue/default.tmpl +++ b/templates/mail/issue/default.tmpl @@ -22,13 +22,13 @@ {{if .Comment.IsForcePush}} {{$oldCommitUrl := printf "%s/commit/%s" .Comment.Issue.PullRequest.BaseRepo.HTMLURL .Comment.OldCommit}} {{$oldShortSha := ShortSha .Comment.OldCommit}} - {{$oldCommitLink := printf "%[2]s" (Escape $oldCommitUrl) (Escape $oldShortSha)}} + {{$oldCommitLink := HTML "%[2]s" $oldCommitUrl $oldShortSha}} {{$newCommitUrl := printf "%s/commit/%s" .Comment.Issue.PullRequest.BaseRepo.HTMLURL .Comment.NewCommit}} {{$newShortSha := ShortSha .Comment.NewCommit}} - {{$newCommitLink := printf "%[2]s" (Escape $newCommitUrl) (Escape $newShortSha)}} + {{$newCommitLink := HTML "%[2]s" $newCommitUrl $newShortSha}} - {{.locale.Tr "mail.issue.action.force_push" .Doer.Name .Comment.Issue.PullRequest.HeadBranch ($oldCommitLink|Safe) ($newCommitLink|Safe)}} + {{.locale.Tr "mail.issue.action.force_push" .Doer.Name .Comment.Issue.PullRequest.HeadBranch $oldCommitLink $newCommitLink}} {{else}} {{.locale.TrN (len .Comment.Commits) "mail.issue.action.push_1" "mail.issue.action.push_n" .Doer.Name .Comment.Issue.PullRequest.HeadBranch (len .Comment.Commits)}} {{end}} @@ -65,7 +65,7 @@ {{$.locale.Tr "mail.issue.in_tree_path" .TreePath}} 
{{.Patch}}
-
{{.RenderedContent | Safe}}
+
{{.RenderedContent | HTML}}
{{end -}} {{if eq .ActionName "push"}} diff --git a/templates/mail/notify/repo_transfer.tmpl b/templates/mail/notify/repo_transfer.tmpl index 1b23593f6ba77..cd62bf506e9aa 100644 --- a/templates/mail/notify/repo_transfer.tmpl +++ b/templates/mail/notify/repo_transfer.tmpl @@ -5,10 +5,10 @@ {{.Subject}} -{{$url := printf "%[2]s" (Escape .Link) (Escape .Repo)}} +{{$url := HTML "%[2]s" .Link .Repo)}}

{{.Subject}}. - {{.locale.Tr "mail.repo.transfer.body" ($url|Safe)}} + {{.locale.Tr "mail.repo.transfer.body" $url}}

--- diff --git a/templates/mail/release.tmpl b/templates/mail/release.tmpl index 96dc7699931e5..4dfdeebeb7abb 100644 --- a/templates/mail/release.tmpl +++ b/templates/mail/release.tmpl @@ -11,11 +11,11 @@ -{{$release_url := printf "%s" (.Release.HTMLURL | Escape) (.Release.TagName | Escape)}} -{{$repo_url := printf "%s" (.Release.Repo.HTMLURL | Escape) (.Release.Repo.FullName | Escape)}} +{{$release_url := HTML "%s" .Release.HTMLURL .Release.TagName}} +{{$repo_url := HTML "%s" .Release.Repo.HTMLURL .Release.Repo.FullName}}

- {{.locale.Tr "mail.release.new.text" .Release.Publisher.Name ($release_url|Safe) ($repo_url|Safe)}} + {{.locale.Tr "mail.release.new.text" .Release.Publisher.Name $release_url $repo_url}}

{{.locale.Tr "mail.release.title" .Release.Title}}

diff --git a/templates/org/member/members.tmpl b/templates/org/member/members.tmpl index 64f1aaa7d2f53..32689dd040d53 100644 --- a/templates/org/member/members.tmpl +++ b/templates/org/member/members.tmpl @@ -73,7 +73,7 @@ {{ctx.Locale.Tr "org.members.leave"}}

-

{{ctx.Locale.Tr "org.members.leave.detail" (``|Safe)}}

+

{{ctx.Locale.Tr "org.members.leave.detail" (``|HTML)}}

{{template "base/modal_actions_confirm" .}} @@ -82,7 +82,7 @@ {{ctx.Locale.Tr "org.members.remove"}}
-

{{ctx.Locale.Tr "org.members.remove.detail" (``|Safe) (``|Safe)}}

+

{{ctx.Locale.Tr "org.members.remove.detail" (``|HTML) (``|HTML)}}

{{template "base/modal_actions_confirm" .}} diff --git a/templates/org/team/members.tmpl b/templates/org/team/members.tmpl index dd4ece14335a1..a43921dc25e11 100644 --- a/templates/org/team/members.tmpl +++ b/templates/org/team/members.tmpl @@ -81,7 +81,7 @@ {{ctx.Locale.Tr "org.members.remove"}}
-

{{ctx.Locale.Tr "org.members.remove.detail" (``|Safe) (``|Safe)}}

+

{{ctx.Locale.Tr "org.members.remove.detail" (``|HTML) (``|HTML)}}

{{template "base/modal_actions_confirm" .}} diff --git a/templates/org/team/sidebar.tmpl b/templates/org/team/sidebar.tmpl index 440fa11dc950f..8cf9202dd46c9 100644 --- a/templates/org/team/sidebar.tmpl +++ b/templates/org/team/sidebar.tmpl @@ -88,7 +88,7 @@ {{ctx.Locale.Tr "org.teams.leave"}}
-

{{ctx.Locale.Tr "org.teams.leave.detail" (``|Safe)}}

+

{{ctx.Locale.Tr "org.teams.leave.detail" (``|HTML)}}

{{template "base/modal_actions_confirm" .}} diff --git a/templates/org/team/teams.tmpl b/templates/org/team/teams.tmpl index b518d7d9d738d..3214100557078 100644 --- a/templates/org/team/teams.tmpl +++ b/templates/org/team/teams.tmpl @@ -49,7 +49,7 @@ {{ctx.Locale.Tr "org.teams.leave"}}
-

{{ctx.Locale.Tr "org.teams.leave.detail" (``|Safe)}}

+

{{ctx.Locale.Tr "org.teams.leave.detail" (``|HTML)}}

{{template "base/modal_actions_confirm" .}} diff --git a/templates/repo/commit_page.tmpl b/templates/repo/commit_page.tmpl index fbfaa19411bfe..deaf2b4433eda 100644 --- a/templates/repo/commit_page.tmpl +++ b/templates/repo/commit_page.tmpl @@ -88,7 +88,7 @@ {{.CsrfTokenHtml}}
@@ -113,7 +113,7 @@
diff --git a/templates/repo/editor/cherry_pick.tmpl b/templates/repo/editor/cherry_pick.tmpl index b65c3a30337fb..936e5cf98942c 100644 --- a/templates/repo/editor/cherry_pick.tmpl +++ b/templates/repo/editor/cherry_pick.tmpl @@ -11,11 +11,11 @@
{{$shaurl := printf "%s/commit/%s" $.RepoLink (PathEscape .SHA)}} - {{$shalink := printf `%s` (Escape $shaurl) (ShortSha .SHA)}} + {{$shalink := HTML `%s` $shaurl (ShortSha .SHA)}} {{if eq .CherryPickType "revert"}} - {{ctx.Locale.Tr "repo.editor.revert" ($shalink|Safe)}} + {{ctx.Locale.Tr "repo.editor.revert" $shalink}} {{else}} - {{ctx.Locale.Tr "repo.editor.cherry_pick" ($shalink|Safe)}} + {{ctx.Locale.Tr "repo.editor.cherry_pick" $shalink}} {{end}} {{.Repository.FullName}}
:
diff --git a/templates/repo/issue/view_content/comments.tmpl b/templates/repo/issue/view_content/comments.tmpl index 7bd7e8c35d6d0..079dd054a9022 100644 --- a/templates/repo/issue/view_content/comments.tmpl +++ b/templates/repo/issue/view_content/comments.tmpl @@ -112,9 +112,9 @@ {{template "shared/user/authorlink" .Poster}} {{$link := printf "%s/commit/%s" $.Repository.Link ($.Issue.PullRequest.MergedCommitID|PathEscape)}} {{if eq $.Issue.PullRequest.Status 3}} - {{ctx.Locale.Tr "repo.issues.comment_manually_pull_merged_at" (printf `%[2]s` ($link|Escape) (ShortSha $.Issue.PullRequest.MergedCommitID) | Safe) (printf "%[1]s" ($.BaseTarget|Escape) | Safe) $createdStr}} + {{ctx.Locale.Tr "repo.issues.comment_manually_pull_merged_at" (HTML `%[2]s` $link (ShortSha $.Issue.PullRequest.MergedCommitID)) (HTML "%[1]s" $.BaseTarget) $createdStr}} {{else}} - {{ctx.Locale.Tr "repo.issues.comment_pull_merged_at" (printf `%[2]s` ($link|Escape) (ShortSha $.Issue.PullRequest.MergedCommitID) | Safe) (printf "%[1]s" ($.BaseTarget|Escape) | Safe) $createdStr}} + {{ctx.Locale.Tr "repo.issues.comment_pull_merged_at" (HTML `%[2]s` $link (ShortSha $.Issue.PullRequest.MergedCommitID)) (HTML "%[1]s" $.BaseTarget) $createdStr}} {{end}}
@@ -595,19 +595,19 @@ {{$oldProjectDisplayHtml := "Unknown Project"}} {{if .OldProject}} {{$trKey := printf "projects.type-%d.display_name" .OldProject.Type}} - {{$oldProjectDisplayHtml = printf `%s` (ctx.Locale.Tr $trKey | Escape) (.OldProject.Title | Escape)}} + {{$oldProjectDisplayHtml = HTML `%s` (ctx.Locale.Tr $trKey) .OldProject.Title}} {{end}} {{$newProjectDisplayHtml := "Unknown Project"}} {{if .Project}} {{$trKey := printf "projects.type-%d.display_name" .Project.Type}} - {{$newProjectDisplayHtml = printf `%s` (ctx.Locale.Tr $trKey | Escape) (.Project.Title | Escape)}} + {{$newProjectDisplayHtml = HTML `%s` (ctx.Locale.Tr $trKey) .Project.Title}} {{end}} {{if and (gt .OldProjectID 0) (gt .ProjectID 0)}} - {{ctx.Locale.Tr "repo.issues.change_project_at" ($oldProjectDisplayHtml|Safe) ($newProjectDisplayHtml|Safe) $createdStr}} + {{ctx.Locale.Tr "repo.issues.change_project_at" $oldProjectDisplayHtml $newProjectDisplayHtml $createdStr}} {{else if gt .OldProjectID 0}} - {{ctx.Locale.Tr "repo.issues.remove_project_at" ($oldProjectDisplayHtml|Safe) $createdStr}} + {{ctx.Locale.Tr "repo.issues.remove_project_at" $oldProjectDisplayHtml $createdStr}} {{else if gt .ProjectID 0}} - {{ctx.Locale.Tr "repo.issues.add_project_at" ($newProjectDisplayHtml|Safe) $createdStr}} + {{ctx.Locale.Tr "repo.issues.add_project_at" $newProjectDisplayHtml $createdStr}} {{end}}
diff --git a/templates/repo/issue/view_content/pull.tmpl b/templates/repo/issue/view_content/pull.tmpl index 13d49b61b76c1..b614d9137ff81 100644 --- a/templates/repo/issue/view_content/pull.tmpl +++ b/templates/repo/issue/view_content/pull.tmpl @@ -39,7 +39,7 @@ {{ctx.Locale.Tr "repo.pulls.merged_success"}}
- {{ctx.Locale.Tr "repo.pulls.merged_info_text" (printf "%s" (.HeadTarget | Escape) | Safe)}} + {{ctx.Locale.Tr "repo.pulls.merged_info_text" (HTML "%s" .HeadTarget)}}
diff --git a/templates/repo/issue/view_title.tmpl b/templates/repo/issue/view_title.tmpl index 9b4657b634756..ed03cc4e49362 100644 --- a/templates/repo/issue/view_title.tmpl +++ b/templates/repo/issue/view_title.tmpl @@ -43,31 +43,31 @@ {{end}}
{{if .Issue.IsPull}} - {{$headHref := .HeadTarget|Escape}} + {{$headHref := .HeadTarget}} {{if .HeadBranchLink}} - {{$headHref = printf `%s` (.HeadBranchLink | Escape) $headHref}} + {{$headHref = HTML `%s` .HeadBranchLink $headHref}} {{end}} - {{$headHref = printf `%s ` $headHref (ctx.Locale.Tr "copy_branch") (.HeadTarget | Escape) (svg "octicon-copy" 14)}} - {{$baseHref := .BaseTarget|Escape}} + {{$headHref = HTML `%s ` $headHref (ctx.Locale.Tr "copy_branch") .HeadTarget (svg "octicon-copy" 14)}} + {{$baseHref := .BaseTarget}} {{if .BaseBranchLink}} - {{$baseHref = printf `%s` (.BaseBranchLink | Escape) $baseHref}} + {{$baseHref = HTML `%s` .BaseBranchLink $baseHref}} {{end}} {{if .Issue.PullRequest.HasMerged}} {{$mergedStr:= TimeSinceUnix .Issue.PullRequest.MergedUnix ctx.Locale}} {{if .Issue.OriginalAuthor}} {{.Issue.OriginalAuthor}} - {{ctx.Locale.Tr "repo.pulls.merged_title_desc" .NumCommits ($headHref|Safe) ($baseHref|Safe) $mergedStr}} + {{ctx.Locale.Tr "repo.pulls.merged_title_desc" .NumCommits $headHref $baseHref $mergedStr}} {{else}} {{.Issue.PullRequest.Merger.GetDisplayName}} - {{ctx.Locale.Tr "repo.pulls.merged_title_desc" .NumCommits ($headHref|Safe) ($baseHref|Safe) $mergedStr}} + {{ctx.Locale.Tr "repo.pulls.merged_title_desc" .NumCommits $headHref $baseHref $mergedStr}} {{end}} {{else}} {{if .Issue.OriginalAuthor}} - {{.Issue.OriginalAuthor}} {{ctx.Locale.Tr "repo.pulls.title_desc" .NumCommits ($headHref|Safe) ($baseHref|Safe)}} + {{.Issue.OriginalAuthor}} {{ctx.Locale.Tr "repo.pulls.title_desc" .NumCommits $headHref $baseHref}} {{else}} {{.Issue.Poster.GetDisplayName}} - {{ctx.Locale.Tr "repo.pulls.title_desc" .NumCommits ($headHref|Safe) ($baseHref|Safe)}} + {{ctx.Locale.Tr "repo.pulls.title_desc" .NumCommits $headHref $baseHref}} {{end}} diff --git a/templates/repo/settings/lfs_file.tmpl b/templates/repo/settings/lfs_file.tmpl index 0aeb2af178b24..a52a162bf5879 100644 --- a/templates/repo/settings/lfs_file.tmpl +++ b/templates/repo/settings/lfs_file.tmpl @@ -15,9 +15,9 @@ {{template "repo/unicode_escape_prompt" dict "EscapeStatus" .EscapeStatus "root" $}}
{{if .IsMarkup}} - {{if .FileContent}}{{.FileContent | Safe}}{{end}} + {{if .FileContent}}{{.FileContent | HTML}}{{end}} {{else if .IsPlainText}} - 
{{if .FileContent}}{{.FileContent | Safe}}{{end}}
+ 
{{if .FileContent}}{{.FileContent | HTML}}{{end}}
{{else if not .IsTextFile}}
{{if .IsImageFile}} diff --git a/templates/repo/settings/webhook/settings.tmpl b/templates/repo/settings/webhook/settings.tmpl index f636108b379c8..97b3386519601 100644 --- a/templates/repo/settings/webhook/settings.tmpl +++ b/templates/repo/settings/webhook/settings.tmpl @@ -263,7 +263,7 @@ {{if ne .HookType "matrix"}}{{/* Matrix doesn't make the authorization optional but it is implied by the help string, should be changed.*/}} - {{ctx.Locale.Tr "repo.settings.authorization_header_desc" ("Bearer token123456, Basic YWxhZGRpbjpvcGVuc2VzYW1l" | Safe)}} + {{ctx.Locale.Tr "repo.settings.authorization_header_desc" ("Bearer token123456, Basic YWxhZGRpbjpvcGVuc2VzYW1l" | HTML)}} {{end}}
diff --git a/templates/repo/wiki/view.tmpl b/templates/repo/wiki/view.tmpl index 5b296dc2af4e5..39015c2760a08 100644 --- a/templates/repo/wiki/view.tmpl +++ b/templates/repo/wiki/view.tmpl @@ -67,13 +67,13 @@
{{if .sidebarTocContent}}
- {{.sidebarTocContent | Safe}} + {{.sidebarTocContent | HTML}}
{{end}}
{{template "repo/unicode_escape_prompt" dict "EscapeStatus" .EscapeStatus "root" $}} - {{.content | Safe}} + {{.content | HTML}}
{{if .sidebarPresent}} @@ -82,7 +82,7 @@ {{svg "octicon-pencil"}} {{end}} {{template "repo/unicode_escape_prompt" dict "EscapeStatus" .sidebarEscapeStatus "root" $}} - {{.sidebarContent | Safe}} + {{.sidebarContent | HTML}}
{{end}} @@ -94,7 +94,7 @@ {{svg "octicon-pencil"}} {{end}} {{template "repo/unicode_escape_prompt" dict "footerEscapeStatus" .sidebarEscapeStatus "root" $}} - {{.footerContent | Safe}} + {{.footerContent | HTML}}
{{end}}
diff --git a/templates/user/settings/organization.tmpl b/templates/user/settings/organization.tmpl index 102ff2e95bcc9..36e1532a69fa6 100644 --- a/templates/user/settings/organization.tmpl +++ b/templates/user/settings/organization.tmpl @@ -47,7 +47,7 @@ {{ctx.Locale.Tr "org.members.leave"}}
-

{{ctx.Locale.Tr "org.members.leave.detail" (``|Safe)}}

+

{{ctx.Locale.Tr "org.members.leave.detail" (``|HTML)}}

{{template "base/modal_actions_confirm" .}}