Escape the service and email passed via request (#14186)

Signed-off-by: Daniel Jiang <jiangd@vmware.com>

src/core/controllers/base.go

@@ -230,7 +230,7 @@ func (cc *CommonController) SendResetEmail() {
 		60, settings.SSL,
 		settings.Insecure,
 		settings.From,
-		[]string{email},
+		[]string{template.HTMLEscapeString(email)},
 		"Reset Harbor user password",
 		message.String())
 	if err != nil {

src/core/service/token/token.go

@@ -16,6 +16,7 @@ package token
 
 import (
 	"fmt"
+	"html/template"
 	"net/http"
 
 	"github.com/astaxie/beego"
@@ -38,7 +39,7 @@ func (h *Handler) Get() {
 	if !ok {
 		errMsg := fmt.Sprintf("Unable to handle service: %s", service)
 		log.Errorf(errMsg)
-		h.CustomAbort(http.StatusBadRequest, errMsg)
+		h.CustomAbort(http.StatusBadRequest, template.HTMLEscapeString(errMsg))
 	}
 	token, err := tokenCreator.Create(request)
 	if err != nil {