Stop sanitizing full name in API (#17396)

The API convert.toUser function makes the incorrect assumption that full names could
be rendered as is without being escaped. It therefore runs the names through
markup.Sanitize which leads to a double escape of user full names. This
pr stops this.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
This commit is contained in:
zeripath 2021-10-22 08:17:35 +01:00 committed by GitHub
parent 23d36929bc
commit af96286f22
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -6,7 +6,6 @@ package convert
import ( import (
"code.gitea.io/gitea/models" "code.gitea.io/gitea/models"
"code.gitea.io/gitea/modules/markup"
api "code.gitea.io/gitea/modules/structs" api "code.gitea.io/gitea/modules/structs"
) )
@ -49,7 +48,7 @@ func toUser(user *models.User, signed, authed bool) *api.User {
result := &api.User{ result := &api.User{
ID: user.ID, ID: user.ID,
UserName: user.Name, UserName: user.Name,
FullName: markup.Sanitize(user.FullName), FullName: user.FullName,
Email: user.GetEmail(), Email: user.GetEmail(),
AvatarURL: user.AvatarLink(), AvatarURL: user.AvatarLink(),
Created: user.CreatedUnix.AsTime(), Created: user.CreatedUnix.AsTime(),