Refactor locale&string&template related code #29165
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GiteaBot
added
the
lgtm/need 2
pull-request-size
bot
added
the
size/XL
github-actions
bot
added
the
modifies/api
wxiaoguang
force-pushed
the
refactor-web-locale
branch
2 times, most recently
from
dee6c5d
to
4ae600f
Compare
wxiaoguang
added
the
type/refactoring
wxiaoguang
force-pushed
the
refactor-web-locale
branch
from
4ae600f
to
74a09e6
Compare
lunny
reviewed
Feb 14, 2024
wxiaoguang
force-pushed
the
refactor-web-locale
branch
from
74a09e6
to
33c6f23
Compare
|
Wouldn't it be easier to add a |
No, the real problem is that |
lunny
reviewed
Feb 14, 2024
lunny
reviewed
Feb 14, 2024
lunny
approved these changes
Feb 14, 2024
GiteaBot
added
lgtm/need 1
Yes, but doesn't this enable XSS attacks? |
|
I don't understand how this makes things safer, for me it seems less safe… |
Why and how? Do you have an example to break it?
No, every argument is under control now. Every string gets "escaped". |
|
Yep, I've noticed what you mean by looking further through your PR. |
There is no much difference for the "|Safe" modifier (comparing to before, I think the new approach is indeed better). |
delvh
changed the title
|
Backport? |
No idea (maybe I slightly prefer no), it doesn't seems easy to backport and usually we don't backport unnecessary refactoring PRs. If most people would like to, I could try. |
silverwind
pushed a commit
to silverwind/gitea
that referenced
this pull request
Feb 15, 2024
Clarify when "string" should be used (and be escaped), and when "template.HTML" should be used (no need to escape) And help PRs like go-gitea#29059 , to render the error messages correctly.
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Feb 16, 2024
* giteaofficial/main: (23 commits) Remove jQuery from SSH key form parser (go-gitea#29193) Refactor request function (go-gitea#29187) Docker Tag Information in Docs (go-gitea#29047) Fix gitea-action user avatar broken on edited menu (go-gitea#29190) Disable parallel Make execution (go-gitea#29186) Auto-update the system status in admin dashboard (go-gitea#29163) Avoid vue warning in dev mode (go-gitea#29188) Update JS and PY dependencies (go-gitea#29184) [skip ci] Updated translations via Crowdin Implement contributors graph (go-gitea#27882) Add support for action artifact serve direct (go-gitea#29120) Advertise WebAuthn support (go-gitea#29176) Tweak repo header (go-gitea#29134) Change webhook-type in create-view (go-gitea#29114) Remove jQuery from the comment task list (go-gitea#29170) Fix can not select team reviewers when reviewers is empty (go-gitea#29174) move sign in labels to be above inputs (go-gitea#28753) Refactor locale&string&template related code (go-gitea#29165) Extract linguist code to method (go-gitea#29168) bump to use go 1.22 (go-gitea#29119) ...
This was referenced Feb 17, 2024
KN4CK3R
pushed a commit
that referenced
this pull request
Feb 18, 2024
Follow #29165. * Introduce JSONTemplate to help to render JSON templates * Introduce JSEscapeSafe for templates. Now only use `{{ ... | JSEscape}}` instead of `{{ ... | JSEscape | Safe}}` * Simplify "UserLocationMapURL" useage
wxiaoguang
added a commit
that referenced
this pull request
Feb 18, 2024
Follow #29165. Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
silverwind
pushed a commit
to silverwind/gitea
that referenced
this pull request
Feb 20, 2024
Clarify when "string" should be used (and be escaped), and when "template.HTML" should be used (no need to escape) And help PRs like go-gitea#29059 , to render the error messages correctly.
silverwind
pushed a commit
to silverwind/gitea
that referenced
this pull request
Feb 20, 2024
…plates (go-gitea#29227) Follow go-gitea#29165. These HTML strings are safe to be rendered directly, to avoid double-escaping.
silverwind
pushed a commit
to silverwind/gitea
that referenced
this pull request
Feb 20, 2024
Follow go-gitea#29165. * Introduce JSONTemplate to help to render JSON templates * Introduce JSEscapeSafe for templates. Now only use `{{ ... | JSEscape}}` instead of `{{ ... | JSEscape | Safe}}` * Simplify "UserLocationMapURL" useage
silverwind
pushed a commit
to silverwind/gitea
that referenced
this pull request
Feb 20, 2024
Follow go-gitea#29165. Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
This was referenced Feb 22, 2024
wxiaoguang
added a commit
that referenced
this pull request
Feb 22, 2024
wxiaoguang
added a commit
that referenced
this pull request
Feb 22, 2024
6543
added
the
topic/security
This was referenced Feb 25, 2024
lunny
pushed a commit
that referenced
this pull request
Feb 25, 2024
Follow #29165 * some of them are incorrect, which would lead to double escaping (eg: `(print (Escape $.RepoLink)`) * other of them are not necessary, because `Tr` handles strings&HTML automatically Suggest to review by "unified view": https://github.com/go-gitea/gitea/pull/29394/files?diff=unified&w=0
6543
pushed a commit
to 6543-forks/gitea
that referenced
this pull request
Feb 26, 2024
Clarify when "string" should be used (and be escaped), and when "template.HTML" should be used (no need to escape) And help PRs like go-gitea#29059 , to render the error messages correctly. (cherry picked from commit f3eb835) Conflicts: modules/web/middleware/binding.go routers/web/feed/convert.go tests/integration/branches_test.go tests/integration/repo_branch_test.go trivial context conflicts
6543
pushed a commit
to 6543-forks/gitea
that referenced
this pull request
Feb 26, 2024
…plates (go-gitea#29227) Follow go-gitea#29165. These HTML strings are safe to be rendered directly, to avoid double-escaping. (cherry picked from commit a784ed3)
6543
pushed a commit
to 6543-forks/gitea
that referenced
this pull request
Feb 26, 2024
Follow go-gitea#29165. * Introduce JSONTemplate to help to render JSON templates * Introduce JSEscapeSafe for templates. Now only use `{{ ... | JSEscape}}` instead of `{{ ... | JSEscape | Safe}}` * Simplify "UserLocationMapURL" useage (cherry picked from commit 31bb9f3)
6543
pushed a commit
to 6543-forks/gitea
that referenced
this pull request
Feb 26, 2024
Follow go-gitea#29165. Co-authored-by: KN4CK3R <admin@oldschoolhack.me> (cherry picked from commit 4345cac)
|
Automatically locked because of our CONTRIBUTING guidelines |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Clarify when "string" should be used (and be escaped), and when "template.HTML" should be used (no need to escape)
And help PRs like #29059 , to render the error messages correctly.
The only possible regression bug is that something on the UI might get double-escaped, which is pretty easy to fix (and I will fix them in first time, as always). Update: if such regression happens, it should be the old code's bug, which needs to be fixed accordingly.