From e194cf3291df11ddf4d9235fe0d7e18322bbd0f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Justin=20Nu=C3=9F?= <nuss.justin@gmail.com>
Date: Tue, 22 Jul 2014 19:52:37 +0200
Subject: [PATCH 1/2] Fix issue #259. Allow links in the repository description

---
 models/repo.go          | 12 +++++++++++-
 templates/repo/nav.tmpl |  2 +-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/models/repo.go b/models/repo.go
index fb7bbbd036..1cfa50f7b5 100644
--- a/models/repo.go
+++ b/models/repo.go
@@ -8,9 +8,11 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"html/template"
 	"os"
 	"path"
 	"path/filepath"
+	"regexp"
 	"runtime"
 	"sort"
 	"strings"
@@ -46,6 +48,10 @@ var (
 	LanguageIgns, Licenses []string
 )
 
+var (
+	DescriptionPattern = regexp.MustCompile(`https?://\S+`)
+)
+
 // getAssetList returns corresponding asset list in 'conf'.
 func getAssetList(prefix string) []string {
 	assets := make([]string, 0, 15)
@@ -145,6 +151,10 @@ func (repo *Repository) GetOwner() (err error) {
 	return err
 }
 
+func (repo *Repository) DescriptionHtml() template.HTML {
+	return template.HTML(DescriptionPattern.ReplaceAllString(repo.Description, `<a href="$0" target="_blank">$0</a>`))
+}
+
 // IsRepositoryExist returns true if the repository with given name under user has already existed.
 func IsRepositoryExist(u *User, repoName string) (bool, error) {
 	repo := Repository{OwnerId: u.Id}
@@ -1000,4 +1010,4 @@ func IsWatching(uid, rid int64) bool {
 
 func ForkRepository(repoName string, uid int64) {
 
-}
+}
\ No newline at end of file
diff --git a/templates/repo/nav.tmpl b/templates/repo/nav.tmpl
index ea7799b351..b689e44299 100644
--- a/templates/repo/nav.tmpl
+++ b/templates/repo/nav.tmpl
@@ -3,7 +3,7 @@
         <div class="row">
             <div class="col-md-7">
                 <h3 class="name"><i class="fa fa-book fa-lg"></i><a href="{{.Owner.HomeLink}}">{{.Owner.Name}}</a> / <a href="/{{.Owner.Name}}/{{.Repository.Name}}">{{.Repository.Name}}</a> {{if .Repository.IsPrivate}}<span class="label label-default">Private</span>{{else if .Repository.IsMirror}}<span class="label label-default">Mirror</span>{{end}}</h3>
-                <p class="desc">{{.Repository.Description}}{{if .Repository.Website}} <a href="{{.Repository.Website}}">{{.Repository.Website}}</a>{{end}}</p>
+                <p class="desc">{{.Repository.DescriptionHtml}}{{if .Repository.Website}} <a href="{{.Repository.Website}}">{{.Repository.Website}}</a>{{end}}</p>
             </div>
             <div class="col-md-5 actions text-right clone-group-btn">
                 {{if not .IsBareRepo}}

From 636a78fed14a4e63317a14cdec8c4ea3cb25ff86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Justin=20Nu=C3=9F?= <nuss.justin@gmail.com>
Date: Tue, 22 Jul 2014 20:08:04 +0200
Subject: [PATCH 2/2] Escape tags and quotes in links.

---
 models/repo.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/models/repo.go b/models/repo.go
index 1cfa50f7b5..845c1b75a9 100644
--- a/models/repo.go
+++ b/models/repo.go
@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"html"
 	"html/template"
 	"os"
 	"path"
@@ -152,7 +153,13 @@ func (repo *Repository) GetOwner() (err error) {
 }
 
 func (repo *Repository) DescriptionHtml() template.HTML {
-	return template.HTML(DescriptionPattern.ReplaceAllString(repo.Description, `<a href="$0" target="_blank">$0</a>`))
+	sanitize := func(s string) string {
+		// TODO(nuss-justin): Improve sanitization. Strip all tags?
+		ss := html.EscapeString(s)
+
+		return fmt.Sprintf(`<a href="%s" target="_blank">%s</a>`, ss, ss)
+	}
+	return template.HTML(DescriptionPattern.ReplaceAllStringFunc(repo.Description, sanitize))
 }
 
 // IsRepositoryExist returns true if the repository with given name under user has already existed.