From b4a2b41941f9968cc67dcf7afdfa54bb2a731470 Mon Sep 17 00:00:00 2001
From: Gusted <williamzijl7@hotmail.com>
Date: Wed, 16 Nov 2022 23:09:50 +0100
Subject: [PATCH] Don't render escaped HTML on plain text

- While viewing a plain readme file that has ambiguous characters, it
currently will write HTML for escaped characters, however it's being
rendered as a plain text and thus will not actually render the HTML
elements.
- Only show the escape status, but render the content as plain text
without trying to show the ambigious characters(escape button will have
no effect due to this).
- Related https://codeberg.org/Codeberg/Community/issues/796
---
 routers/web/repo/view.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/routers/web/repo/view.go b/routers/web/repo/view.go
index e7aca04819296..cb54d1c6f0867 100644
--- a/routers/web/repo/view.go
+++ b/routers/web/repo/view.go
@@ -523,13 +523,15 @@ func renderFile(ctx *context.Context, entry *git.TreeEntry, treeLink, rawLink st
 			// to prevent iframe load third-party url
 			ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'")
 		} else if readmeExist && !shouldRenderSource {
-			buf := &bytes.Buffer{}
 			ctx.Data["IsRenderedHTML"] = true
 
-			ctx.Data["EscapeStatus"], _ = charset.EscapeControlReader(rd, buf, ctx.Locale)
+			buf, _ := io.ReadAll(rd)
+
+			// Do render a EscapeStatus, but don't render escaped HTML as it's plain text.
+			ctx.Data["EscapeStatus"], _ = charset.EscapeControlReader(bytes.NewReader(buf), io.Discard, ctx.Locale)
 
 			ctx.Data["FileContent"] = strings.ReplaceAll(
-				gotemplate.HTMLEscapeString(buf.String()), "\n", `<br>`,
+				gotemplate.HTMLEscapeString(string(buf)), "\n", `<br>`,
 			)
 		} else {
 			buf, _ := io.ReadAll(rd)