5ac2c0a2ba
Followup to https://codeberg.org/forgejo/forgejo/pulls/2364 Replaces https://codeberg.org/forgejo/forgejo/pulls/7666 Fix multiple issues with the original implementation: * `SyncFork` web handler used `{branch}` as a parameter, so it failed for branches with `/` in names * Originally I switched it to use `*` like other branch web handlers, but I found that it was easier to move it out from URL to POST request values * Security: `SyncFork` web handler was using GET method, so just visiting the link was enough to execute the action * It was switched to POST done via form with CSRF, which also allowed to put branch name in it's values * Security: in template, branch name was not escaped but rendered with `SafeHTML`, allowing for rendering fun characters like `&` and for script execution. Also the link was not escaped correctly and would be leading to 404 * To avoid having to change all translations, only the branch name+link part was changed and is now escaped with `HTMLFormat` before being passed to TrN Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7740 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-committed-by: 0ko <0ko@noreply.codeberg.org>
15 lines
679 B
Go HTML Template
15 lines
679 B
Go HTML Template
{{if .CanSyncFork}}
|
|
<div class="ui positive message tw-flex tw-items-center" id="sync_fork_msg">
|
|
<div class="tw-flex-1">
|
|
{{$baseBranchHTML := HTMLFormat "<a href='%s'>%s:%s</a>" .BaseBranchLink .Repository.BaseRepo.FullName .BranchName}}
|
|
{{ctx.Locale.TrN .ForkCommitsBehind "repo.sync_fork.branch_behind_one" "repo.sync_fork.branch_behind_few" .ForkCommitsBehind $baseBranchHTML}}
|
|
</div>
|
|
<form method="post" action="{{.RepoLink}}/sync_fork">
|
|
{{.CsrfTokenHtml}}
|
|
<input type="hidden" name="branch" value="{{.BranchName}}">
|
|
<button class="ui compact positive button tw-m-0">
|
|
{{ctx.Locale.Tr "repo.sync_fork.button"}}
|
|
</button>
|
|
</form>
|
|
</div>
|
|
{{end}}
|