diff options
| author | Feuerfuchs <git@feuerfuchs.dev> | 2019-06-17 15:27:14 +0200 |
|---|---|---|
| committer | Feuerfuchs <git@feuerfuchs.dev> | 2019-06-17 15:27:14 +0200 |
| commit | d768bc93bcd0087925bcdc878456bf0016a84fc8 (patch) | |
| tree | 5f2d4ca249e8f5668c849dab0151a621a7b6c54c | |
| parent | Fix indent bug (diff) | |
| download | gopherproxy-d768bc93bcd0087925bcdc878456bf0016a84fc8.tar.gz gopherproxy-d768bc93bcd0087925bcdc878456bf0016a84fc8.tar.bz2 gopherproxy-d768bc93bcd0087925bcdc878456bf0016a84fc8.zip | |
Fix for unescaped HTML
| -rw-r--r-- | gopherproxy.go | 20 | ||||
| -rw-r--r-- | template.go | 4 |
2 files changed, 14 insertions, 10 deletions
diff --git a/gopherproxy.go b/gopherproxy.go index f034cb9..74f33bb 100644 --- a/gopherproxy.go +++ b/gopherproxy.go | |||
| @@ -3,6 +3,7 @@ package gopherproxy | |||
| 3 | import ( | 3 | import ( |
| 4 | "bytes" | 4 | "bytes" |
| 5 | "fmt" | 5 | "fmt" |
| 6 | "html" | ||
| 6 | "html/template" | 7 | "html/template" |
| 7 | "io" | 8 | "io" |
| 8 | "io/ioutil" | 9 | "io/ioutil" |
| @@ -74,9 +75,9 @@ func renderDirectory(w http.ResponseWriter, tpl *template.Template, styletext st | |||
| 74 | } | 75 | } |
| 75 | 76 | ||
| 76 | return tpl.Execute(w, struct { | 77 | return tpl.Execute(w, struct { |
| 77 | Title string | 78 | Title string |
| 78 | Style string | 79 | Style string |
| 79 | Lines []Item | 80 | Lines []Item |
| 80 | RawText string | 81 | RawText string |
| 81 | }{title, styletext, out, ""}) | 82 | }{title, styletext, out, ""}) |
| 82 | } | 83 | } |
| @@ -140,7 +141,7 @@ func GopherHandler(tpl *template.Template, robotsdata *robotstxt.RobotsData, sty | |||
| 140 | RawText string | 141 | RawText string |
| 141 | Lines []Item | 142 | Lines []Item |
| 142 | }{uri, styletext, buf.String(), nil}) | 143 | }{uri, styletext, buf.String(), nil}) |
| 143 | } else { | 144 | } else { |
| 144 | io.Copy(w, res.Body) | 145 | io.Copy(w, res.Body) |
| 145 | } | 146 | } |
| 146 | } else { | 147 | } else { |
| @@ -248,13 +249,16 @@ func ListenAndServe(bind, robotsfile, uri string) error { | |||
| 248 | } | 249 | } |
| 249 | 250 | ||
| 250 | funcMap := template.FuncMap{ | 251 | funcMap := template.FuncMap{ |
| 251 | "safeHtml": func(s string) template.HTML { | 252 | "safeHtml": func(s string) template.HTML { |
| 252 | return template.HTML(s) | 253 | return template.HTML(s) |
| 253 | }, | 254 | }, |
| 254 | "safeCss": func(s string) template.CSS { | 255 | "safeCss": func(s string) template.CSS { |
| 255 | return template.CSS(s) | 256 | return template.CSS(s) |
| 256 | }, | 257 | }, |
| 257 | } | 258 | "HTMLEscape": func(s string) string { |
| 259 | return html.EscapeString(s) | ||
| 260 | }, | ||
| 261 | } | ||
| 258 | 262 | ||
| 259 | tpl, err = template.New("gophermenu").Funcs(funcMap).Parse(tpltext) | 263 | tpl, err = template.New("gophermenu").Funcs(funcMap).Parse(tpltext) |
| 260 | if err != nil { | 264 | if err != nil { |
diff --git a/template.go b/template.go index 32b75be..781d2bb 100644 --- a/template.go +++ b/template.go | |||
| @@ -21,9 +21,9 @@ var tpltext = `<!doctype html> | |||
| 21 | {{- $content = printf "%s\n" $content -}} | 21 | {{- $content = printf "%s\n" $content -}} |
| 22 | {{- end -}} | 22 | {{- end -}} |
| 23 | {{- if .Link -}} | 23 | {{- if .Link -}} |
| 24 | {{- $content = printf "%s%s" $content (printf "<span class=\"link-type\">%s </span><a class=\"link link--%s\" href=\"%s\">%s</a>" .Type .Type .Link .Text) -}} | 24 | {{- $content = printf "%s%s" $content (printf "<span class=\"link-type\">%s </span><a class=\"link link--%s\" href=\"%s\">%s</a>" .Type .Type .Link (.Text | HTMLEscape)) -}} |
| 25 | {{- else -}} | 25 | {{- else -}} |
| 26 | {{- $content = printf "%s%s" $content (printf " %s" .Text) -}} | 26 | {{- $content = printf "%s%s" $content (printf " %s" (.Text | HTMLEscape)) -}} |
| 27 | {{- end -}} | 27 | {{- end -}} |
| 28 | {{- end -}} | 28 | {{- end -}} |
| 29 | {{- $content | safeHtml -}} | 29 | {{- $content | safeHtml -}} |