Escape the service and email passed via request (#14186)

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit is contained in:
Daniel Jiang 2021-02-08 14:34:52 +08:00 committed by GitHub
parent 8725fa3af5
commit 0b2ef922c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 2 deletions

View File

@ -230,7 +230,7 @@ func (cc *CommonController) SendResetEmail() {
60, settings.SSL,
settings.Insecure,
settings.From,
[]string{email},
[]string{template.HTMLEscapeString(email)},
"Reset Harbor user password",
message.String())
if err != nil {

View File

@ -16,6 +16,7 @@ package token
import (
"fmt"
"html/template"
"net/http"
"github.com/astaxie/beego"
@ -38,7 +39,7 @@ func (h *Handler) Get() {
if !ok {
errMsg := fmt.Sprintf("Unable to handle service: %s", service)
log.Errorf(errMsg)
h.CustomAbort(http.StatusBadRequest, errMsg)
h.CustomAbort(http.StatusBadRequest, template.HTMLEscapeString(errMsg))
}
token, err := tokenCreator.Create(request)
if err != nil {