Merge pull request '[v8.0/forgejo] replace v-html with v-text in branch search inputbox for XSS protection' (#5247) from bp-v8.0/forgejo-bb8796b into v8.0/forgejov8.0.3

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5247
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>

1 files changed, 2 insertions, 4 deletions

diff --git a/web_src/js/components/RepoBranchTagSelector.vue b/web_src/js/components/RepoBranchTagSelector.vue
index c13af14dea..bfba2037cc 100644
--- a/web_src/js/components/RepoBranchTagSelector.vue
+++ b/web_src/js/components/RepoBranchTagSelector.vue
@@ -289,13 +289,11 @@ export default sfc; // activate IDE's Vue plugin
           <a href="#" @click="createNewBranch()">
             <div v-show="shouldCreateTag">
               <i class="reference tags icon"/>
-              <!-- eslint-disable-next-line vue/no-v-html -->
-              <span v-html="textCreateTag.replace('%s', searchTerm)"/>
+              <span v-text="textCreateTag.replace('%s', searchTerm)"/>
             </div>
             <div v-show="!shouldCreateTag">
               <svg-icon name="octicon-git-branch"/>
-              <!-- eslint-disable-next-line vue/no-v-html -->
-              <span v-html="textCreateBranch.replace('%s', searchTerm)"/>
+              <span v-text="textCreateBranch.replace('%s', searchTerm)"/>
             </div>
             <div class="text small">
               <span v-if="isViewBranch || release">{{ textCreateBranchFrom.replace('%s', branchName) }}</span>