From af96286f2254c1e073394aae0f18b132f07b38ad Mon Sep 17 00:00:00 2001 From: zeripath Date: Fri, 22 Oct 2021 08:17:35 +0100 Subject: [PATCH] Stop sanitizing full name in API (#17396) The API convert.toUser function makes the incorrect assumption that full names could be rendered as is without being escaped. It therefore runs the names through markup.Sanitize which leads to a double escape of user full names. This pr stops this. Signed-off-by: Andrew Thornton Co-authored-by: Lunny Xiao --- modules/convert/user.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/convert/user.go b/modules/convert/user.go index 164ffb71fd..3f17ae4b4d 100644 --- a/modules/convert/user.go +++ b/modules/convert/user.go @@ -6,7 +6,6 @@ package convert import ( "code.gitea.io/gitea/models" - "code.gitea.io/gitea/modules/markup" api "code.gitea.io/gitea/modules/structs" ) @@ -49,7 +48,7 @@ func toUser(user *models.User, signed, authed bool) *api.User { result := &api.User{ ID: user.ID, UserName: user.Name, - FullName: markup.Sanitize(user.FullName), + FullName: user.FullName, Email: user.GetEmail(), AvatarURL: user.AvatarLink(), Created: user.CreatedUnix.AsTime(),