Search query gets rendered as HTML

[jonasfranz]

• Gitea version (or commit ref): 1.4.0+rc1
• Operating system: Ubuntu Server 16.04
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No, because repo indexer is disabled
  • Not relevant

Description

When I enter a HTML tag into the repository search, the query gets rendered as HTML. But it is sort of escaped because only h1, b, i etc. are rendered but without parameters like onload.

Screenshots

Search-Query: <i>

Search-Query: <h1>

Search-Query: <b>Hello</b><h1>World</h1>

[jonasfranz]

This might be also security relevant because attackers could send links containing a message for example to send credentials to the attacker.

[ethantkoenig]

FYI, while this is certainly a bug (good catch @JonasFranzDEV), I don't believe XSS is a concern because the search query was previously piped through Str2Html (which sanitizes unsafe HTML)

[jonasfranz]

@ethantkoenig You're right. It is not a real XSS but it could be used to show the user a big text for example saying to send there password to an email.