Hash (#) in branch name not properly escaped in all contexts #8420

Closed
opened 2025-11-02 08:05:23 -06:00 by GiteaMirror · 2 comments
Owner

Originally created by @manuelmohr on GitHub (Jan 28, 2022).

Gitea Version

1.15.9

Git Version

No response

Operating System

No response

How are you running Gitea?

Downloaded build from official site.

Database

PostgreSQL

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Description

  • Create a branch with a hash symbol (#) in the name
  • View the branch
  • Click "Commits"
  • Get a 404 page because the hash is not escaped
  • If escaped manually to "%23", page displays properly

image
image

Not reproducible on test server, which runs 1.17.0-dev.

Screenshots

No response

Originally created by @manuelmohr on GitHub (Jan 28, 2022). ### Gitea Version 1.15.9 ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Downloaded build from official site. ### Database PostgreSQL ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Description - Create a branch with a hash symbol (#) in the name - View the branch - Click "Commits" - Get a 404 page because the hash is not escaped - If escaped manually to "%23", page displays properly ![image](https://user-images.githubusercontent.com/3143777/151512254-ffc8247e-57ac-4f68-9917-b9574fbce187.png) ![image](https://user-images.githubusercontent.com/3143777/151512385-f3b6ab82-23d0-45e3-8f89-5a8c28ec766c.png) Not reproducible on test server, which runs 1.17.0-dev. ### Screenshots _No response_
GiteaMirror added the issue/needs-feedback label 2025-11-02 08:05:23 -06:00
Author
Owner

@wxiaoguang commented on GitHub (Jan 28, 2022):

Not reproducible on test server, which runs 1.17.0-dev.

Yes, there is a big refactor in 1.16, so could you try it first? Such refactor won't be in 1.15.

@wxiaoguang commented on GitHub (Jan 28, 2022): > Not reproducible on test server, which runs 1.17.0-dev. Yes, there is a big refactor in 1.16, so could you try it first? Such refactor won't be in 1.15.
Author
Owner

@zeripath commented on GitHub (Jan 29, 2022):

Yup I didn't fix the escaping in 1.15 because the escaping pr touched way too many files.

I agree there is a problem but the answer is that we need to get 1.16 out as soon as possible because of this and other things.

@zeripath commented on GitHub (Jan 29, 2022): Yup I didn't fix the escaping in 1.15 because the escaping pr touched way too many files. I agree there is a problem but the answer is that we need to get 1.16 out as soon as possible because of this and other things.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#8420