Prevent incorrect HTML escaping in swagger.json (#14957)

* Prevent incorrect HTML escaping in swagger.json Fix #14706 Signed-off-by: Andrew Thornton <art27@cantab.net> * oops add it to the helper Signed-off-by: Andrew Thornton <art27@cantab.net> * try again Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2025-11-04 04:14:01 +01:00 · 2021-03-12 04:43:04 +00:00 · 2021-03-12 04:43:04 +00:00 · 91ee3be588
commit 91ee3be588
parent df76d9f7ad
4 changed files with 11 additions and 5 deletions
--- a/4
+++ b/4
@ -127,8 +127,8 @@ GO_SOURCES_OWN := $(filter-out vendor/% %/bindata.go, $(GO_SOURCES))
 #To update swagger use: GO111MODULE=on go get -u github.com/go-swagger/go-swagger/cmd/swagger
 SWAGGER := $(GO) run -mod=vendor github.com/go-swagger/go-swagger/cmd/swagger
 SWAGGER_SPEC := templates/swagger/v1_json.tmpl
-SWAGGER_SPEC_S_TMPL := s|"basePath": *"/api/v1"|"basePath": "{{AppSubUrl}}/api/v1"|g
-SWAGGER_SPEC_S_JSON := s|"basePath": *"{{AppSubUrl}}/api/v1"|"basePath": "/api/v1"|g
+SWAGGER_SPEC_S_TMPL := s|"basePath": *"/api/v1"|"basePath": "{{AppSubUrl \| JSEscape \| Safe}}/api/v1"|g
+SWAGGER_SPEC_S_JSON := s|"basePath": *"{{AppSubUrl \| JSEscape \| Safe}}/api/v1"|"basePath": "/api/v1"|g
 SWAGGER_EXCLUDE := code.gitea.io/sdk
 SWAGGER_NEWLINE_COMMAND := -e '$$a\'

--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@ -92,6 +92,7 @@ func NewFuncMap() []template.FuncMap {
 		},
 		"Safe":          Safe,
 		"SafeJS":        SafeJS,
+		"JSEscape":      JSEscape,
 		"Str2html":      Str2html,
 		"TimeSince":     timeutil.TimeSince,
 		"TimeSinceUnix": timeutil.TimeSinceUnix,
@ -629,6 +630,11 @@ func Escape(raw string) string {
 	return html.EscapeString(raw)
 }

+// JSEscape escapes a JS string
+func JSEscape(raw string) string {
+	return template.JSEscapeString(raw)
+}
+
 // List traversings the list
 func List(l *list.List) chan interface{} {
 	e := l.Front()
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@ -9,7 +9,7 @@
 //
 //     Schemes: http, https
 //     BasePath: /api/v1
-//     Version: {{AppVer}}
+//     Version: {{AppVer | JSEscape | Safe}}
 //     License: MIT http://opensource.org/licenses/MIT
 //
 //     Consumes:
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@ -19,9 +19,9 @@
      "name": "MIT",
      "url": "http://opensource.org/licenses/MIT"
    },
-    "version": "{{AppVer}}"
+    "version": "{{AppVer | JSEscape | Safe}}"
  },
-  "basePath": "{{AppSubUrl}}/api/v1",
+  "basePath": "{{AppSubUrl | JSEscape | Safe}}/api/v1",
  "paths": {
    "/admin/cron": {
      "get": {