playground
/
gogs
mirror of https://github.com/gogits/gogs.git
1
0
Fork 0
Code Issues Releases Activity
Browse Source

pkg/context: apply EscapePound at context level 

Always escape template variable {{.Link}} variable and  redirect calls.

Relates to #5442
pull/5446/head
Unknwon 6 years ago
parent
1843354d88
commit
0d66b1cc1c
No known key found for this signature in database
GPG Key ID: 25B575AE3213B2B3
8 changed files with 20 additions and 14 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      gogs.go
  2. 16
      pkg/context/context.go
  3. 4
      pkg/template/template.go
  4. 2
      routes/repo/editor.go
  5. 2
      templates/.VERSION
  6. 2
      templates/repo/issue/new_form.tmpl
  7. 4
      templates/repo/settings/protected_branch.tmpl
  8. 2
      templates/repo/wiki/new.tmpl

2
gogs.go
Unescape View File

@ -16,7 +16,7 @@ import (
"github.com/gogs/gogs/pkg/setting" "github.com/gogs/gogs/pkg/setting"
) )
const APP_VER = "0.11.67.0928" const APP_VER = "0.11.68.0928"
func init() { func init() {
setting.AppVer = APP_VER setting.AppVer = APP_VER

16
pkg/context/context.go
Unescape View File

@ -6,7 +6,6 @@ package context
import ( import (
"fmt" "fmt"
"html/template"
"io" "io"
"net/http" "net/http"
"path" "path"
@ -26,6 +25,7 @@ import (
"github.com/gogs/gogs/pkg/auth" "github.com/gogs/gogs/pkg/auth"
"github.com/gogs/gogs/pkg/form" "github.com/gogs/gogs/pkg/form"
"github.com/gogs/gogs/pkg/setting" "github.com/gogs/gogs/pkg/setting"
"github.com/gogs/gogs/pkg/template"
) )
// Context represents context of a request. // Context represents context of a request.
@ -138,10 +138,16 @@ func (c *Context) JSONSuccess(data interface{}) {
c.JSON(http.StatusOK, data) c.JSON(http.StatusOK, data)
} }
// Redirect responses redirection wtih given location and status.
// It escapes special characters in the location string.
func (c *Context) Redirect(location string, status ...int) {
c.Context.Redirect(template.EscapePound(location), status...)
}
// SubURLRedirect responses redirection wtih given location and status. // SubURLRedirect responses redirection wtih given location and status.
// It prepends setting.AppSubURL to the location string. // It prepends setting.AppSubURL to the location string.
func (c *Context) SubURLRedirect(location string, status ...int) { func (c *Context) SubURLRedirect(location string, status ...int) {
c.Redirect(setting.AppSubURL + location) c.Redirect(setting.AppSubURL+location, status...)
} }
// RenderWithErr used for page has form validation but need to prompt error to users. // RenderWithErr used for page has form validation but need to prompt error to users.
@ -227,7 +233,7 @@ func Contexter() macaron.Handler {
}, },
Org: &Organization{}, Org: &Organization{},
} }
c.Data["Link"] = c.Link c.Data["Link"] = template.EscapePound(c.Link)
c.Data["PageStartTime"] = time.Now() c.Data["PageStartTime"] = time.Now()
// Quick responses appropriate go-get meta with status 200 // Quick responses appropriate go-get meta with status 200
@ -296,13 +302,13 @@ func Contexter() macaron.Handler {
// If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid. // If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
if c.Req.Method == "POST" && strings.Contains(c.Req.Header.Get("Content-Type"), "multipart/form-data") { if c.Req.Method == "POST" && strings.Contains(c.Req.Header.Get("Content-Type"), "multipart/form-data") {
if err := c.Req.ParseMultipartForm(setting.AttachmentMaxSize << 20); err != nil && !strings.Contains(err.Error(), "EOF") { // 32MB max size if err := c.Req.ParseMultipartForm(setting.AttachmentMaxSize << 20); err != nil && !strings.Contains(err.Error(), "EOF") { // 32MB max size
c.Handle(500, "ParseMultipartForm", err) c.ServerError("ParseMultipartForm", err)
return return
} }
} }
c.Data["CSRFToken"] = x.GetToken() c.Data["CSRFToken"] = x.GetToken()
c.Data["CSRFTokenHTML"] = template.HTML(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`) c.Data["CSRFTokenHTML"] = template.Safe(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
log.Trace("Session ID: %s", sess.ID()) log.Trace("Session ID: %s", sess.ID())
log.Trace("CSRF Token: %v", c.Data["CSRFToken"]) log.Trace("CSRF Token: %v", c.Data["CSRFToken"])

4
pkg/template/template.go
Unescape View File

@ -64,7 +64,7 @@ func NewFuncMap() []template.FuncMap {
"AppendAvatarSize": tool.AppendAvatarSize, "AppendAvatarSize": tool.AppendAvatarSize,
"Safe": Safe, "Safe": Safe,
"Sanitize": bluemonday.UGCPolicy().Sanitize, "Sanitize": bluemonday.UGCPolicy().Sanitize,
"Str2html": Str2html, "Str2html": Str2HTML,
"NewLine2br": NewLine2br, "NewLine2br": NewLine2br,
"TimeSince": tool.TimeSince, "TimeSince": tool.TimeSince,
"RawTimeSince": tool.RawTimeSince, "RawTimeSince": tool.RawTimeSince,
@ -127,7 +127,7 @@ func Safe(raw string) template.HTML {
return template.HTML(raw) return template.HTML(raw)
} }
func Str2html(raw string) template.HTML { func Str2HTML(raw string) template.HTML {
return template.HTML(markup.Sanitize(raw)) return template.HTML(markup.Sanitize(raw))
} }

2
routes/repo/editor.go
Unescape View File

@ -286,7 +286,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
if f.IsNewBrnach() && c.Repo.PullRequest.Allowed { if f.IsNewBrnach() && c.Repo.PullRequest.Allowed {
c.Redirect(c.Repo.PullRequestURL(oldBranchName, f.NewBranchName)) c.Redirect(c.Repo.PullRequestURL(oldBranchName, f.NewBranchName))
} else { } else {
c.Redirect(c.Repo.RepoLink + "/src/" + branchName + "/" + template.EscapePound(f.TreePath)) c.Redirect(c.Repo.RepoLink + "/src/" + branchName + "/" + f.TreePath)
} }
} }

2
templates/.VERSION
Unescape View File

@ -1 +1 @@
0.11.67.0928 0.11.68.0928

2
templates/repo/issue/new_form.tmpl
Unescape View File

@ -1,4 +1,4 @@
<form class="ui comment form grid" action="{{EscapePound .Link}}" method="post"> <form class="ui comment form grid" action="{{.Link}}" method="post">
{{.CSRFTokenHTML}} {{.CSRFTokenHTML}}
{{if .Flash}} {{if .Flash}}
<div class="sixteen wide column"> <div class="sixteen wide column">

4
templates/repo/settings/protected_branch.tmpl
Unescape View File

@ -11,7 +11,7 @@
</h4> </h4>
<div class="ui attached segment branch-protection"> <div class="ui attached segment branch-protection">
<p>{{.i18n.Tr "repo.settings.branch_protection_desc" .Branch.Name | Str2html}}</p> <p>{{.i18n.Tr "repo.settings.branch_protection_desc" .Branch.Name | Str2html}}</p>
<form class="ui form" action="{{EscapePound .Link}}" method="post"> <form class="ui form" action="{{.Link}}" method="post">
{{.CSRFTokenHTML}} {{.CSRFTokenHTML}}
<div class="inline field"> <div class="inline field">
<div class="ui checkbox"> <div class="ui checkbox">
@ -83,4 +83,4 @@
</div> </div>
</div> </div>
</div> </div>
{{template "base/footer" .}} {{template "base/footer" .}}

2
templates/repo/wiki/new.tmpl
Unescape View File

@ -11,7 +11,7 @@
</div> </div>
{{end}} {{end}}
</div> </div>
<form class="ui form" action="{{EscapePound .Link}}" method="post"> <form class="ui form" action="{{.Link}}" method="post">
{{.CSRFTokenHTML}} {{.CSRFTokenHTML}}
<input type="hidden" name="old_title" value="{{.old_title}}"> <input type="hidden" name="old_title" value="{{.old_title}}">
<div class="field {{if .Err_Title}}error{{end}}"> <div class="field {{if .Err_Title}}error{{end}}">

Write Preview
Loading…
Cancel
Save