mirror of
https://github.com/gogs/gogs.git
synced 2025-12-20 15:20:01 +01:00
pkg/context: apply EscapePound at context level
Always escape template variable {{.Link}} variable and redirect calls.
Relates to #5442
This commit is contained in:
Unknwon
2
gogs.go
2
gogs.go
@@ -16,7 +16,7 @@ import (
|
|||||||
"github.com/gogs/gogs/pkg/setting"
|
"github.com/gogs/gogs/pkg/setting"
|
||||||
)
|
)
|
||||||
|
|
||||||
const APP_VER = "0.11.67.0928"
|
const APP_VER = "0.11.68.0928"
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
setting.AppVer = APP_VER
|
setting.AppVer = APP_VER
|
||||||
|
|||||||
@@ -6,7 +6,6 @@ package context
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"html/template"
|
|
||||||
"io"
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
"path"
|
"path"
|
||||||
@@ -26,6 +25,7 @@ import (
|
|||||||
"github.com/gogs/gogs/pkg/auth"
|
"github.com/gogs/gogs/pkg/auth"
|
||||||
"github.com/gogs/gogs/pkg/form"
|
"github.com/gogs/gogs/pkg/form"
|
||||||
"github.com/gogs/gogs/pkg/setting"
|
"github.com/gogs/gogs/pkg/setting"
|
||||||
|
"github.com/gogs/gogs/pkg/template"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Context represents context of a request.
|
// Context represents context of a request.
|
||||||
@@ -138,10 +138,16 @@ func (c *Context) JSONSuccess(data interface{}) {
|
|||||||
c.JSON(http.StatusOK, data)
|
c.JSON(http.StatusOK, data)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Redirect responses redirection wtih given location and status.
|
||||||
|
// It escapes special characters in the location string.
|
||||||
|
func (c *Context) Redirect(location string, status ...int) {
|
||||||
|
c.Context.Redirect(template.EscapePound(location), status...)
|
||||||
|
}
|
||||||
|
|
||||||
// SubURLRedirect responses redirection wtih given location and status.
|
// SubURLRedirect responses redirection wtih given location and status.
|
||||||
// It prepends setting.AppSubURL to the location string.
|
// It prepends setting.AppSubURL to the location string.
|
||||||
func (c *Context) SubURLRedirect(location string, status ...int) {
|
func (c *Context) SubURLRedirect(location string, status ...int) {
|
||||||
c.Redirect(setting.AppSubURL + location)
|
c.Redirect(setting.AppSubURL+location, status...)
|
||||||
}
|
}
|
||||||
|
|
||||||
// RenderWithErr used for page has form validation but need to prompt error to users.
|
// RenderWithErr used for page has form validation but need to prompt error to users.
|
||||||
@@ -227,7 +233,7 @@ func Contexter() macaron.Handler {
|
|||||||
},
|
},
|
||||||
Org: &Organization{},
|
Org: &Organization{},
|
||||||
}
|
}
|
||||||
c.Data["Link"] = c.Link
|
c.Data["Link"] = template.EscapePound(c.Link)
|
||||||
c.Data["PageStartTime"] = time.Now()
|
c.Data["PageStartTime"] = time.Now()
|
||||||
|
|
||||||
// Quick responses appropriate go-get meta with status 200
|
// Quick responses appropriate go-get meta with status 200
|
||||||
@@ -296,13 +302,13 @@ func Contexter() macaron.Handler {
|
|||||||
// If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
|
// If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
|
||||||
if c.Req.Method == "POST" && strings.Contains(c.Req.Header.Get("Content-Type"), "multipart/form-data") {
|
if c.Req.Method == "POST" && strings.Contains(c.Req.Header.Get("Content-Type"), "multipart/form-data") {
|
||||||
if err := c.Req.ParseMultipartForm(setting.AttachmentMaxSize << 20); err != nil && !strings.Contains(err.Error(), "EOF") { // 32MB max size
|
if err := c.Req.ParseMultipartForm(setting.AttachmentMaxSize << 20); err != nil && !strings.Contains(err.Error(), "EOF") { // 32MB max size
|
||||||
c.Handle(500, "ParseMultipartForm", err)
|
c.ServerError("ParseMultipartForm", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
c.Data["CSRFToken"] = x.GetToken()
|
c.Data["CSRFToken"] = x.GetToken()
|
||||||
c.Data["CSRFTokenHTML"] = template.HTML(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
|
c.Data["CSRFTokenHTML"] = template.Safe(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
|
||||||
log.Trace("Session ID: %s", sess.ID())
|
log.Trace("Session ID: %s", sess.ID())
|
||||||
log.Trace("CSRF Token: %v", c.Data["CSRFToken"])
|
log.Trace("CSRF Token: %v", c.Data["CSRFToken"])
|
||||||
|
|
||||||
|
|||||||
@@ -64,7 +64,7 @@ func NewFuncMap() []template.FuncMap {
|
|||||||
"AppendAvatarSize": tool.AppendAvatarSize,
|
"AppendAvatarSize": tool.AppendAvatarSize,
|
||||||
"Safe": Safe,
|
"Safe": Safe,
|
||||||
"Sanitize": bluemonday.UGCPolicy().Sanitize,
|
"Sanitize": bluemonday.UGCPolicy().Sanitize,
|
||||||
"Str2html": Str2html,
|
"Str2html": Str2HTML,
|
||||||
"NewLine2br": NewLine2br,
|
"NewLine2br": NewLine2br,
|
||||||
"TimeSince": tool.TimeSince,
|
"TimeSince": tool.TimeSince,
|
||||||
"RawTimeSince": tool.RawTimeSince,
|
"RawTimeSince": tool.RawTimeSince,
|
||||||
@@ -127,7 +127,7 @@ func Safe(raw string) template.HTML {
|
|||||||
return template.HTML(raw)
|
return template.HTML(raw)
|
||||||
}
|
}
|
||||||
|
|
||||||
func Str2html(raw string) template.HTML {
|
func Str2HTML(raw string) template.HTML {
|
||||||
return template.HTML(markup.Sanitize(raw))
|
return template.HTML(markup.Sanitize(raw))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -286,7 +286,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
|
|||||||
if f.IsNewBrnach() && c.Repo.PullRequest.Allowed {
|
if f.IsNewBrnach() && c.Repo.PullRequest.Allowed {
|
||||||
c.Redirect(c.Repo.PullRequestURL(oldBranchName, f.NewBranchName))
|
c.Redirect(c.Repo.PullRequestURL(oldBranchName, f.NewBranchName))
|
||||||
} else {
|
} else {
|
||||||
c.Redirect(c.Repo.RepoLink + "/src/" + branchName + "/" + template.EscapePound(f.TreePath))
|
c.Redirect(c.Repo.RepoLink + "/src/" + branchName + "/" + f.TreePath)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1 +1 @@
|
|||||||
0.11.67.0928
|
0.11.68.0928
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
<form class="ui comment form grid" action="{{EscapePound .Link}}" method="post">
|
<form class="ui comment form grid" action="{{.Link}}" method="post">
|
||||||
{{.CSRFTokenHTML}}
|
{{.CSRFTokenHTML}}
|
||||||
{{if .Flash}}
|
{{if .Flash}}
|
||||||
<div class="sixteen wide column">
|
<div class="sixteen wide column">
|
||||||
|
|||||||
@@ -11,7 +11,7 @@
|
|||||||
</h4>
|
</h4>
|
||||||
<div class="ui attached segment branch-protection">
|
<div class="ui attached segment branch-protection">
|
||||||
<p>{{.i18n.Tr "repo.settings.branch_protection_desc" .Branch.Name | Str2html}}</p>
|
<p>{{.i18n.Tr "repo.settings.branch_protection_desc" .Branch.Name | Str2html}}</p>
|
||||||
<form class="ui form" action="{{EscapePound .Link}}" method="post">
|
<form class="ui form" action="{{.Link}}" method="post">
|
||||||
{{.CSRFTokenHTML}}
|
{{.CSRFTokenHTML}}
|
||||||
<div class="inline field">
|
<div class="inline field">
|
||||||
<div class="ui checkbox">
|
<div class="ui checkbox">
|
||||||
|
|||||||
@@ -11,7 +11,7 @@
|
|||||||
</div>
|
</div>
|
||||||
{{end}}
|
{{end}}
|
||||||
</div>
|
</div>
|
||||||
<form class="ui form" action="{{EscapePound .Link}}" method="post">
|
<form class="ui form" action="{{.Link}}" method="post">
|
||||||
{{.CSRFTokenHTML}}
|
{{.CSRFTokenHTML}}
|
||||||
<input type="hidden" name="old_title" value="{{.old_title}}">
|
<input type="hidden" name="old_title" value="{{.old_title}}">
|
||||||
<div class="field {{if .Err_Title}}error{{end}}">
|
<div class="field {{if .Err_Title}}error{{end}}">
|
||||||
|
|||||||
Reference in New Issue
Block a user