mirror of
				https://codeberg.org/forgejo/forgejo
				synced 2025-10-22 01:10:39 +02:00 
			
		
		
		
	It's possible for reviews to not be assiocated with users, when they were migrated from another forge instance. In the migration code, there's no sanitization check for author names, so they could contain HTML tags and thus needs to be properely escaped.
		
			
				
	
	
		
			9 lines
		
	
	
	
		
			180 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			9 lines
		
	
	
	
		
			180 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
| -
 | |
|   id: 1000
 | |
|   type: 32 # dismiss review
 | |
|   poster_id: 2
 | |
|   issue_id: 2 # in repo_id 1
 | |
|   content: "XSS time!"
 | |
|   review_id: 1000
 | |
|   created_unix: 1700000000
 | |
|   updated_unix: 1700000000
 |