template: escape untrusted names in locale strings piped through Safe (#8176)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.claude/commands/ghsa.md

@@ -0,0 +1,11 @@
+Analyze and help fix the GitHub Security Advisory (GHSA) at: $ARGUMENTS
+
+Steps:
+1. Fetch the GHSA page using `gh api repos/gogs/gogs/security-advisories` and understand the vulnerability details (description, severity, affected versions, CWE).
+2. Verify the reported vulnerability actually exists, and why.
+3. Identify the affected code in this repository.
+4. Propose a fix with a clear explanation of the root cause and how the fix addresses it. Check for prior art in the codebase to stay consistent with existing patterns.
+5. Implement the fix. Only add tests when there is something meaningful to test at our layer.
+6. Run all the usual build and test commands.
+7. Create a branch named after the GHSA ID, commit, and push.
+8. Create a pull request with a proper title and description, do not reveal too much detail and link the GHSA.

templates/repo/branches/all.tmpl

@@ -14,7 +14,7 @@
 					<div class="ui eleven wide column">
 						{{if .IsProtected}}<i class="octicon octicon-shield"></i> {{end}}<a class="markdown" href="{{$.RepoLink}}/src/{{EscapePound .Name}}"><code>{{.Name}}</code></a>
 						{{$timeSince := TimeSince .Commit.Committer.When $.Lang}}
-						<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince .Commit.Committer.Name | Safe}}</span>
+						<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince (Sanitize .Commit.Committer.Name) | Safe}}</span>
 					</div>
 					<div class="ui four wide column">
 						{{if and (and (eq $.BranchName .Name) $.IsRepositoryAdmin) (not $.Repository.IsMirror)}}

templates/repo/branches/overview.tmpl

@@ -13,7 +13,7 @@
 				<div class="ui eleven wide column">
 					{{if .DefaultBranch.IsProtected}}<i class="octicon octicon-shield"></i> {{end}}<a class="markdown" href="{{$.RepoLink}}/src/{{EscapePound .DefaultBranch.Name}}"><code>{{.DefaultBranch.Name}}</code></a>
 					{{$timeSince := TimeSince .DefaultBranch.Commit.Committer.When $.Lang}}
-					<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince .DefaultBranch.Commit.Committer.Name | Safe}}</span>
+					<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince (Sanitize .DefaultBranch.Commit.Committer.Name) | Safe}}</span>
 				</div>
 				{{if and $.IsRepositoryAdmin (not $.Repository.IsMirror)}}
 					<div class="ui four wide column">
@@ -33,7 +33,7 @@
 						<div class="ui eleven wide column">
 							{{if .IsProtected}}<i class="octicon octicon-shield"></i> {{end}}<a class="markdown" href="{{$.RepoLink}}/src/{{EscapePound .Name}}"><code>{{.Name}}</code></a>
 							{{$timeSince := TimeSince .Commit.Committer.When $.Lang}}
-							<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince .Commit.Committer.Name | Safe}}</span>
+							<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince (Sanitize .Commit.Committer.Name) | Safe}}</span>
 						</div>
 						{{if and $.IsRepositoryWriter $.AllowPullRequest}}
 							<div class="ui four wide column">
@@ -55,7 +55,7 @@
 						<div class="ui eleven wide column">
 							{{if .IsProtected}}<i class="octicon octicon-shield"></i> {{end}}<a class="markdown" href="{{$.RepoLink}}/src/{{EscapePound .Name}}"><code>{{.Name}}</code></a>
 							{{$timeSince := TimeSince .Commit.Committer.When $.Lang}}
-							<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince .Commit.Committer.Name | Safe}}</span>
+							<span class="ui text light grey">{{$.i18n.Tr "repo.branches.updated_by" $timeSince (Sanitize .Commit.Committer.Name) | Safe}}</span>
 						</div>
 						{{if and $.IsRepositoryWriter $.AllowPullRequest}}
 							<div class="ui four wide column">

templates/repo/wiki/view.tmpl

@@ -58,7 +58,7 @@
 			{{end}}
 			<div class="ui sub header">
 				{{$timeSince := TimeSince .Author.When $.Lang}}
-				{{.i18n.Tr "repo.wiki.last_commit_info" .Author.Name $timeSince | Safe}}
+				{{.i18n.Tr "repo.wiki.last_commit_info" (Sanitize .Author.Name) $timeSince | Safe}}
 			</div>
 		</div>
 		<div class="markdown has-emoji">