Possible XSS in issue dependancies

[zarunet]

• Gitea version (or commit ref): release 1.6.1
• Git version: 2.11.0
• Operating system: Debian 9.6
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes, at https://try.gitea.io/Simia_/test-repository/issues/1
  • No
  • Not relevant
• Log gist:

Description

When adding an issue with an HTML tag in the title, said HTML doesn't seem to be escaped.

In this example, the <select> tag in the title is displayed as an actual <select>

[zeripath]

I can confirm this.

[zeripath]

@simia-zaru Can you please email security@gitea.io

[zarunet]

@simia-zaru Can you please email security@gitea.io

Done. Thanks for the tip

[zeripath]

Repository descriptions are also affected although less destructively as it appears that script elements are stripped out.

[zeripath]

Similarly for milestone descriptions.

[zeripath]

Actually there's a flash on the application of a milestone title to an issue whereby it will execute an embedded script.

[techknowlogick]

@simia-zaru thanks for the report. You will be thanked in our release blog post.