From d768bc93bcd0087925bcdc878456bf0016a84fc8 Mon Sep 17 00:00:00 2001 From: Feuerfuchs Date: Mon, 17 Jun 2019 15:27:14 +0200 Subject: Fix for unescaped HTML --- gopherproxy.go | 20 ++++++++++++-------- template.go | 4 ++-- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/gopherproxy.go b/gopherproxy.go index f034cb9..74f33bb 100644 --- a/gopherproxy.go +++ b/gopherproxy.go @@ -3,6 +3,7 @@ package gopherproxy import ( "bytes" "fmt" + "html" "html/template" "io" "io/ioutil" @@ -74,9 +75,9 @@ func renderDirectory(w http.ResponseWriter, tpl *template.Template, styletext st } return tpl.Execute(w, struct { - Title string - Style string - Lines []Item + Title string + Style string + Lines []Item RawText string }{title, styletext, out, ""}) } @@ -140,7 +141,7 @@ func GopherHandler(tpl *template.Template, robotsdata *robotstxt.RobotsData, sty RawText string Lines []Item }{uri, styletext, buf.String(), nil}) - } else { + } else { io.Copy(w, res.Body) } } else { @@ -248,13 +249,16 @@ func ListenAndServe(bind, robotsfile, uri string) error { } funcMap := template.FuncMap{ - "safeHtml": func(s string) template.HTML { - return template.HTML(s) - }, + "safeHtml": func(s string) template.HTML { + return template.HTML(s) + }, "safeCss": func(s string) template.CSS { return template.CSS(s) }, - } + "HTMLEscape": func(s string) string { + return html.EscapeString(s) + }, + } tpl, err = template.New("gophermenu").Funcs(funcMap).Parse(tpltext) if err != nil { diff --git a/template.go b/template.go index 32b75be..781d2bb 100644 --- a/template.go +++ b/template.go @@ -21,9 +21,9 @@ var tpltext = ` {{- $content = printf "%s\n" $content -}} {{- end -}} {{- if .Link -}} - {{- $content = printf "%s%s" $content (printf "%s %s" .Type .Type .Link .Text) -}} + {{- $content = printf "%s%s" $content (printf "%s %s" .Type .Type .Link (.Text | HTMLEscape)) -}} {{- else -}} - {{- $content = printf "%s%s" $content (printf " %s" .Text) -}} + {{- $content = printf "%s%s" $content (printf " %s" (.Text | HTMLEscape)) -}} {{- end -}} {{- end -}} {{- $content | safeHtml -}} -- cgit v1.2.3-70-g09d2