Fix username rendering bug (#2122)

* Fix username rendering bug * XSS integration test * Migration to unescape user full names
2025-10-31 19:38:23 +00:00 · 2017-07-12 10:58:52 -04:00
parent 2c3efd72ce
commit 858324c21a
4 changed files with 71 additions and 4 deletions
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -122,6 +122,8 @@ var migrations = []Migration{
 	NewMigration("adds comment to an action", addCommentIDToAction),
 	// v36 -> v37
 	NewMigration("regenerate git hooks", regenerateGitHooks36),
+	// v37 -> v38
+	NewMigration("unescape user full names", unescapeUserFullNames),
 }

 // Migrate database to current version
--- a/models/migrations/v37.go
+++ b/models/migrations/v37.go
@@ -0,0 +1,32 @@
+// Copyright 2017 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"html"
+
+	"code.gitea.io/gitea/models"
+
+	"github.com/go-xorm/xorm"
+)
+
+func unescapeUserFullNames(x *xorm.Engine) (err error) {
+	const batchSize = 100
+	for start := 0; ; start += batchSize {
+		users := make([]*models.User, 0, batchSize)
+		if err := x.Limit(start, batchSize).Find(users); err != nil {
+			return err
+		}
+		if len(users) == 0 {
+			return nil
+		}
+		for _, user := range users {
+			user.FullName = html.UnescapeString(user.FullName)
+			if _, err := x.Cols("full_name").Update(user); err != nil {
+				return err
+			}
+		}
+	}
+}