From 8fa20f326ca0bc3404158784a461c9f7dd7302f6 Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Thu, 21 Oct 2021 21:55:31 +0100
Subject: [PATCH] Stop sanitizing full name in API

The API convert.toUser function makes the incorrect assumption that full names could
be rendered as is without being escaped. It therefore runs the names through
markup.Sanitize which leads to a double escape of user full names. This
pr stops this.

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 modules/convert/user.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/convert/user.go b/modules/convert/user.go
index 164ffb71fd2e7..3f17ae4b4d5d2 100644
--- a/modules/convert/user.go
+++ b/modules/convert/user.go
@@ -6,7 +6,6 @@ package convert
 
 import (
 	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/markup"
 	api "code.gitea.io/gitea/modules/structs"
 )
 
@@ -49,7 +48,7 @@ func toUser(user *models.User, signed, authed bool) *api.User {
 	result := &api.User{
 		ID:          user.ID,
 		UserName:    user.Name,
-		FullName:    markup.Sanitize(user.FullName),
+		FullName:    user.FullName,
 		Email:       user.GetEmail(),
 		AvatarURL:   user.AvatarLink(),
 		Created:     user.CreatedUnix.AsTime(),