escaping csv column content

Author: lunny

modules/markup/csv/csv.go

@@ -7,6 +7,7 @@ package markup
 import (
 	"bytes"
 	"encoding/csv"
+	"html"
 	"io"
 
 	"code.gitea.io/gitea/modules/markup"
@@ -46,7 +47,7 @@ func (Parser) Render(rawBytes []byte, urlPrefix string, metas map[string]string,
 		tmpBlock.WriteString("<tr>")
 		for _, field := range fields {
 			tmpBlock.WriteString("<td>")
-			tmpBlock.WriteString(field)
+			tmpBlock.WriteString(html.EscapeString(field))
 			tmpBlock.WriteString("</td>")
 		}
 		tmpBlock.WriteString("<tr>")

modules/markup/csv/csv_test.go

@@ -0,0 +1,25 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package markup
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRenderCSV(t *testing.T) {
+	var parser Parser
+	var kases = map[string]string{
+		"a":     "<table class=\"table\"><tr><td>a</td><tr></table>",
+		"1,2":   "<table class=\"table\"><tr><td>1</td><td>2</td><tr></table>",
+		"<br/>": "<table class=\"table\"><tr><td>&lt;br/&gt;</td><tr></table>",
+	}
+
+	for k, v := range kases {
+		res := parser.Render([]byte(k), "", nil, false)
+		assert.EqualValues(t, v, string(res))
+	}
+}