From 78aaa3eb1a94ea64653f41ec38e094749a938e84 Mon Sep 17 00:00:00 2001
From: zeripath <art27@cantab.net>
Date: Fri, 10 May 2019 18:48:28 +0100
Subject: [PATCH] Escape the commit message on issues update (#6901)

---
 models/action.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/models/action.go b/models/action.go
index 2cd3616d63fc..8a958f546cb8 100644
--- a/models/action.go
+++ b/models/action.go
@@ -7,6 +7,7 @@ package models
 import (
 	"encoding/json"
 	"fmt"
+	"html"
 	"path"
 	"regexp"
 	"strconv"
@@ -532,7 +533,7 @@ func UpdateIssuesCommit(doer *User, repo *Repository, commits []*PushCommit, bra
 			}
 			refMarked[issue.ID] = true
 
-			message := fmt.Sprintf(`<a href="%s/commit/%s">%s</a>`, repo.Link(), c.Sha1, c.Message)
+			message := fmt.Sprintf(`<a href="%s/commit/%s">%s</a>`, repo.Link(), c.Sha1, html.EscapeString(c.Message))
 			if err = CreateRefComment(doer, repo, issue, message, c.Sha1); err != nil {
 				return err
 			}