Address review comments including XSS, but no change to alt key

Author: brechtvl

models/issues/issue.go

@@ -541,7 +541,7 @@ func (ts labelSorter) Swap(i, j int) {
 // Ensure only one label of a given scope exists, with labels at the end of the
 // array getting preference over earlier ones.
 func RemoveDuplicateExclusiveLabels(labels []*Label) []*Label {
-	var validLabels []*Label
+	validLabels := make([]*Label, 0, len(labels))
 
 	for i, label := range labels {
 		scope := label.ExclusiveScope()

models/issues/label.go

@@ -175,21 +175,21 @@ func (label *Label) ColorRGB() (float64, float64, float64, error) {
 	return r, g, b, nil
 }
 
-// Determine if label text should be light or dark to be readable on
-// background color.
+// Determine if label text should be light or dark to be readable on background color
 func (label *Label) UseLightTextColor() bool {
 	if strings.HasPrefix(label.Color, "#") {
 		if r, g, b, err := label.ColorRGB(); err == nil {
-			// sRGB color space luminance
-			luminance := (0.299*r + 0.587*g + 0.114*b) / 255
-			return luminance < 0.35
+			// Perceived brightness from: https://www.w3.org/TR/AERT/#color-contrast
+			// In the future WCAG 3 APCA may be a better solution
+			brightness := (0.299*r + 0.587*g + 0.114*b) / 255
+			return brightness < 0.35
 		}
 	}
 
 	return false
 }
 
-// Return scope substring of label name, or empty string if none exists.
+// Return scope substring of label name, or empty string if none exists
 func (label *Label) ExclusiveScope() string {
 	if !label.Exclusive {
 		return ""

models/migrations/v1_19/v244.go

@@ -4,8 +4,6 @@
 package v1_19 //nolint
 
 import (
-	"fmt"
-
 	"xorm.io/xorm"
 )
 
@@ -14,8 +12,5 @@ func AddExclusiveLabel(x *xorm.Engine) error {
 		Exclusive bool
 	}
 
-	if err := x.Sync2(new(Label)); err != nil {
-		return fmt.Errorf("Sync2: %w", err)
-	}
-	return nil
+	return x.Sync(new(Label))
 }

modules/templates/helper.go

@@ -815,7 +815,7 @@ func RenderLabel(label *issues_model.Label) string {
 		textColor = "#eee"
 	}
 
-	description := emoji.ReplaceAliases(label.Description)
+	description := emoji.ReplaceAliases(template.HTMLEscapeString(label.Description))
 
 	if labelScope == "" {
 		// Regular label

routers/web/repo/issue.go

@@ -332,7 +332,8 @@ func issues(ctx *context.Context, milestoneID, projectID int64, isPullOption uti
 		labels = append(labels, orgLabels...)
 	}
 
-	var labelExclusiveScopes []string
+	// Get the exclusive scope for every label ID
+	labelExclusiveScopes := make([]string, 0, len(labelIDs))
 	for _, labelID := range labelIDs {
 		foundExclusiveScope := false
 		for _, label := range labels {

templates/repo/issue/labels/label_list.tmpl

@@ -44,10 +44,10 @@
 				<div class="three wide column">
 					{{if and (not $.PageIsOrgSettingsLabels ) (not $.Repository.IsArchived) (or $.CanWriteIssues $.CanWritePulls)}}
 						<a class="ui right delete-button" href="#" data-url="{{$.Link}}/delete" data-id="{{.ID}}">{{svg "octicon-trash"}} {{$.locale.Tr "repo.issues.label_delete"}}</a>
-						<a class="ui right edit-label-button" href="#" data-id="{{.ID}}" data-title="{{.Name}}" data-exclusive="{{.Exclusive}}" data-description="{{.Description}}" data-color={{.Color}}>{{svg "octicon-pencil"}} {{$.locale.Tr "repo.issues.label_edit"}}</a>
+						<a class="ui right edit-label-button" href="#" data-id="{{.ID}}" data-title="{{.Name}}" {{if .Exclusive}}data-exclusive{{end}} data-description="{{.Description}}" data-color={{.Color}}>{{svg "octicon-pencil"}} {{$.locale.Tr "repo.issues.label_edit"}}</a>
 					{{else if $.PageIsOrgSettingsLabels}}
 						<a class="ui right delete-button" href="#" data-url="{{$.Link}}/delete" data-id="{{.ID}}">{{svg "octicon-trash"}} {{$.locale.Tr "repo.issues.label_delete"}}</a>
-						<a class="ui right edit-label-button" href="#" data-id="{{.ID}}" data-title="{{.Name}}" data-exclusive="{{.Exclusive}}" data-description="{{.Description}}" data-color={{.Color}}>{{svg "octicon-pencil"}} {{$.locale.Tr "repo.issues.label_edit"}}</a>
+						<a class="ui right edit-label-button" href="#" data-id="{{.ID}}" data-title="{{.Name}}" {{if .Exclusive}}data-exclusive{{end}} data-description="{{.Description}}" data-color={{.Color}}>{{svg "octicon-pencil"}} {{$.locale.Tr "repo.issues.label_edit"}}</a>
 					{{end}}
 				</div>
 			</div>

web_src/js/components/ContextPopup.vue

@@ -26,19 +26,10 @@
 <script>
 import $ from 'jquery';
 import {SvgIcon} from '../svg.js';
+import {useLightTextOnBackground} from '../utils.js';
 
 const {appSubUrl, i18n} = window.config;
 
-// NOTE: see models/issue_label.go for similar implementation
-const useLightTextColor = (label) => {
-  // sRGB color space luminance
-  const r = parseInt(label.color.substring(0, 2), 16);
-  const g = parseInt(label.color.substring(2, 4), 16);
-  const b = parseInt(label.color.substring(4, 6), 16);
-  const luminance = (0.299 * r + 0.587 * g + 0.114 * b) / 255;
-  return luminance < 0.35;
-};
-
 export default {
   components: {SvgIcon},
   data: () => ({
@@ -86,7 +77,7 @@ export default {
     labels() {
       return this.issue.labels.map((label) => {
         let textColor;
-        if (useLightTextColor(label)) {
+        if (useLightTextOnBackground(label.color)) {
           textColor = '#eeeeee';
         } else {
           textColor = '#111111';

web_src/js/features/comp/LabelEdit.js

@@ -20,7 +20,7 @@ export function initCompLabelEdit(selector) {
     $('.edit-label .color-picker').minicolors('value', $(this).data('color'));
     $('#label-modal-id').val($(this).data('id'));
     $('.edit-label .new-label-input').val($(this).data('title'));
-    $('.edit-label .new-label-exclusive').prop('checked', $(this).data('exclusive'));
+    $('.edit-label .new-label-exclusive').prop('checked', this.hasAttribute('data-exclusive'));
     $('.edit-label .new-label-desc-input').val($(this).data('description'));
     $('.edit-label .color-picker').val($(this).data('color'));
     $('.edit-label .minicolors-swatch-color').css('background-color', $(this).data('color'));

web_src/js/features/repo-legacy.js

@@ -117,7 +117,7 @@ export function initRepoCommentForm() {
 
       $(this).parent().find('.item').each(function () {
         if (scope) {
-          /* Enable only clicked item for scoped labels. */
+          // Enable only clicked item for scoped labels
           if ($(this).attr('data-scope') !== scope) {
             return true;
           }
@@ -129,7 +129,7 @@ export function initRepoCommentForm() {
             return true;
           }
         } else if (!$(this).is(clickedItem)) {
-          /* Toggle for other labels. */
+          // Toggle for other labels
           return true;
         }
 

web_src/js/features/repo-projects.js

@@ -1,4 +1,5 @@
 import $ from 'jquery';
+import {useLightTextOnBackground} from '../utils.js';
 
 const {csrfToken} = window.config;
 
@@ -183,13 +184,7 @@ export function initRepoProject() {
 }
 
 function setLabelColor(label, color) {
-  // sRGB color space luminance
-  const r = parseInt(color.slice(1, 3), 16);
-  const g = parseInt(color.slice(3, 5), 16);
-  const b = parseInt(color.slice(5, 7), 16);
-  const luminance = (0.299 * r + 0.587 * g + 0.114 * b) / 255;
-
-  if (luminance < 0.35) {
+  if (useLightTextOnBackground(color)) {
     label.removeClass('dark-label').addClass('light-label');
   } else {
     label.removeClass('light-label').addClass('dark-label');

web_src/js/utils.js

@@ -146,3 +146,18 @@ export function toAbsoluteUrl(url) {
   }
   return `${window.location.origin}${url}`;
 }
+
+// determine if light or dark text color should be used on a given background color
+// NOTE: see models/issue_label.go for similar implementation
+export function useLightTextOnBackground(backgroundColor) {
+  if (backgroundColor[0] === '#') {
+    backgroundColor = backgroundColor.substring(1);
+  }
+  // Perceived brightness from: https://www.w3.org/TR/AERT/#color-contrast
+  // In the future WCAG 3 APCA may be a better solution.
+  const r = parseInt(backgroundColor.substring(0, 2), 16);
+  const g = parseInt(backgroundColor.substring(2, 4), 16);
+  const b = parseInt(backgroundColor.substring(4, 6), 16);
+  const brightness = (0.299 * r + 0.587 * g + 0.114 * b) / 255;
+  return brightness < 0.35;
+}