fix

Author: wxiaoguang

modules/templates/helper.go

@@ -294,17 +294,15 @@ func timeEstimateString(timeSec any) string {
 	return util.TimeEstimateString(v)
 }
 
-type QueryString string
-
-func queryBuild(a ...any) QueryString {
+func queryBuild(a ...any) template.URL {
 	var s string
 	if len(a)%2 == 1 {
 		if v, ok := a[0].(string); ok {
 			if v == "" || (v[0] != '?' && v[0] != '&') {
 				panic("queryBuild: invalid argument")
 			}
 			s = v
-		} else if v, ok := a[0].(QueryString); ok {
+		} else if v, ok := a[0].(template.URL); ok {
 			s = string(v)
 		} else {
 			panic("queryBuild: invalid argument")
@@ -356,7 +354,7 @@ func queryBuild(a ...any) QueryString {
 	if s != "" && s != "&" && s[len(s)-1] == '&' {
 		s = s[:len(s)-1]
 	}
-	return QueryString(s)
+	return template.URL(s)
 }
 
 func panicIfDevOrTesting() {

modules/templates/helper_test.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 	"testing"
 
+	"code.gitea.io/gitea/modules/htmlutil"
 	"code.gitea.io/gitea/modules/util"
 
 	"github.com/stretchr/testify/assert"
@@ -102,3 +103,37 @@ func TestTemplateTruthy(t *testing.T) {
 	}
 	assert.True(t, truthyCount != 0 && truthyCount != len(cases))
 }
+
+func TestTemplateEscape(t *testing.T) {
+	execTmpl := func(code string) string {
+		tmpl := template.New("test")
+		tmpl.Funcs(template.FuncMap{"QueryBuild": queryBuild, "HTMLFormat": htmlutil.HTMLFormat})
+		template.Must(tmpl.Parse(code))
+		w := &strings.Builder{}
+		assert.NoError(t, tmpl.Execute(w, nil))
+		return w.String()
+	}
+
+	t.Run("Golang URL Escape", func(t *testing.T) {
+		// Golang template considers "href", "*src*", "*uri", "*url*" (and more) ... as contentTypeURL and does auto-escaping
+		actual := execTmpl(`<a href="?a={{"%"}}"></a>`)
+		assert.Equal(t, `<a href="?a=%25"></a>`, actual)
+		actual = execTmpl(`<a data-xxx-url="?a={{"%"}}"></a>`)
+		assert.Equal(t, `<a data-xxx-url="?a=%25"></a>`, actual)
+	})
+	t.Run("Golang URL No-escape", func(t *testing.T) {
+		// non-URL content isn't auto-escaped
+		actual := execTmpl(`<a data-link="?a={{"%"}}"></a>`)
+		assert.Equal(t, `<a data-link="?a=%"></a>`, actual)
+	})
+	t.Run("QueryBuild", func(t *testing.T) {
+		actual := execTmpl(`<a href="{{QueryBuild "?" "a" "%"}}"></a>`)
+		assert.Equal(t, `<a href="?a=%25"></a>`, actual)
+		actual = execTmpl(`<a href="?{{QueryBuild "a" "%"}}"></a>`)
+		assert.Equal(t, `<a href="?a=%25"></a>`, actual)
+	})
+	t.Run("HTMLFormat", func(t *testing.T) {
+		actual := execTmpl("{{HTMLFormat `<a k=\"%s\">%s</a>` `\"` `<>`}}")
+		assert.Equal(t, `<a k="&#34;">&lt;&gt;</a>`, actual)
+	})
+}