fix(ui): multiple fixes of sync fork UI (#7740)

Followup to https://codeberg.org/forgejo/forgejo/pulls/2364 Replaces https://codeberg.org/forgejo/forgejo/pulls/7666 Fix multiple issues with the original implementation: * `SyncFork` web handler used `{branch}` as a parameter, so it failed for branches with `/` in names * Originally I switched it to use `*` like other branch web handlers, but I found that it was easier to move it out from URL to POST request values * Security: `SyncFork` web handler was using GET method, so just visiting the link was enough to execute the action * It was switched to POST done via form with CSRF, which also allowed to put branch name in it's values * Security: in template, branch name was not escaped but rendered with `SafeHTML`, allowing for rendering fun characters like `&` and for script execution. Also the link was not escaped correctly and would be leading to 404 * To avoid having to change all translations, only the branch name+link part was changed and is now escaped with `HTMLFormat` before being passed to TrN Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7740 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: 0ko <0ko@noreply.codeberg.org> Co-committed-by: 0ko <0ko@noreply.codeberg.org>
2025-10-18 16:18:28 +00:00 · 2025-05-02 14:25:05 +00:00 · 2025-05-02 14:25:05 +00:00 · 5ac2c0a2ba
commit 5ac2c0a2ba
parent aec8f4c57a
5 changed files with 70 additions and 31 deletions
--- a/routers/web/repo/repo.go
+++ b/routers/web/repo/repo.go
@ -785,7 +785,7 @@ func PrepareBranchList(ctx *context.Context) {

 func SyncFork(ctx *context.Context) {
 	redirectURL := fmt.Sprintf("%s/src/branch/%s", ctx.Repo.RepoLink, util.PathEscapeSegments(ctx.Repo.BranchName))
-	branch := ctx.Params("branch")
+	branch := ctx.FormString("branch")

 	syncForkInfo, err := repo_service.GetSyncForkInfo(ctx, ctx.Repo.Repository, branch)
 	if err != nil {