links in search results are not escaped

[AndreaBorgia-Abo]

Description

New gitea installation:
Gitea-Version                
1.18.2 built with GNU Make 4.3, go1.19.5 : bindata, timetzdata, sqlite, sqlite_unlock_notify 
Git-Version                2.36.4, Wire Protocol Version 2 Enabled

We're trying to use it together with abapGit for custom developments on an SAP system.

Because of the way abapGit and SAP work, the resulting filenames on the gitea server (or on any git server) would have slashes in them: for this reason, during serialization and push they’re replaced by hashmarks as follows:

Original SAP object: /SOFTW/ZTOPREP (that would be program ZTOPREP under the /SOFTW namespace)
Serialized content on the git server: /src/#softw#ztoprep.prog.abap

So far, so good: both abapGit and gitea seem to be fine with it; when browsing folders on gitea, that also works ok: the hashmarks are escaped, links are active and lead to the correct object. Notice the "%23" in the lower left corner:

The problem comes up in search results: here hashmarks are NOT escaped, so they end up working as anchors and lead to the wrong object, typically the toplevel folder / package

Is it something that can / should be configured in our installation or just a bug / missing feature?

Gitea Version

1.18.2

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

2.36.4

Operating System

Ubuntu 22.04.1 LTS

How are you running Gitea?

Running gitea/gitea:latest ( sha256:86b1df821fa31475f7720f2e8b86b386fb48a1acf40e941cd8d077a9230d4578 ) on Docker 20.10.23 (API: 1.41), with Postgresql 14.6-1.pgdg110+1

Database

PostgreSQL

[wxiaoguang]

That's a bug.

I think #22741 will fix it.

[zeripath]

🤦Fortunately despite this being yet another escaping bug I don't think this could result in a security issue.