From 236e70f1359ae46818c3916f21401ef4bacf3eaf Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Sat, 26 Dec 2020 21:58:21 +0000
Subject: [PATCH] Fix escaping issue in diff (#14153)

Ensure that linecontent is escaped before passing to template.HTML

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 services/gitdiff/gitdiff.go | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/services/gitdiff/gitdiff.go b/services/gitdiff/gitdiff.go
index 79cd16e19..81b92f716 100644
--- a/services/gitdiff/gitdiff.go
+++ b/services/gitdiff/gitdiff.go
@@ -10,6 +10,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"html"
 	"html/template"
 	"io"
 	"io/ioutil"
@@ -164,9 +165,9 @@ func getDiffLineSectionInfo(treePath, line string, lastLeftIdx, lastRightIdx int
 // escape a line's content or return <br> needed for copy/paste purposes
 func getLineContent(content string) string {
 	if len(content) > 0 {
-		return content
+		return html.EscapeString(content)
 	}
-	return "\n"
+	return "<br>"
 }
 
 // DiffSection represents a section of a DiffFile.
@@ -357,8 +358,6 @@ func (diffSection *DiffSection) GetComputedInlineDiffFor(diffLine *DiffLine) tem
 	diffRecord := diffMatchPatch.DiffMain(highlight.Code(diffSection.FileName, diff1[1:]), highlight.Code(diffSection.FileName, diff2[1:]), true)
 	diffRecord = diffMatchPatch.DiffCleanupEfficiency(diffRecord)
 
-	diffRecord = diffMatchPatch.DiffCleanupEfficiency(diffRecord)
-
 	return diffToHTML(diffSection.FileName, diffRecord, diffLine.Type)
 }