Security: prevent XSS attach on wiki page

Reported by Miguel Ángel Jimeno.
This commit is contained in:
Unknwon 2017-02-15 18:05:02 -05:00 committed by Kim "BKC" Carlbäcker
parent 43c94d0a6c
commit 134f3e6e09
2 changed files with 8 additions and 5 deletions

View file

@ -15,6 +15,7 @@ import (
"strings"
"time"
"github.com/microcosm-cc/bluemonday"
"golang.org/x/net/html/charset"
"golang.org/x/text/transform"
"gopkg.in/editorconfig/editorconfig-core-go.v1"
@ -61,6 +62,7 @@ func NewFuncMap() []template.FuncMap {
},
"AvatarLink": base.AvatarLink,
"Safe": Safe,
"Sanitize": bluemonday.UGCPolicy().Sanitize,
"Str2html": Str2html,
"TimeSince": base.TimeSince,
"RawTimeSince": base.RawTimeSince,

View file

@ -1,6 +1,7 @@
{{template "base/head" .}}
<div class="repository wiki view">
{{template "repo/header" .}}
{{ $title := .title | Sanitize}}
<div class="ui container">
<div class="ui grid">
<div class="ui ten wide column">
@ -9,7 +10,7 @@
<div class="ui basic small button">
<span class="text">
{{.i18n.Tr "repo.wiki.page"}}:
<strong>{{.title}}</strong>
<strong>{{$title}}</strong>
</span>
<i class="dropdown icon"></i>
</div>
@ -20,7 +21,7 @@
</div>
<div class="scrolling menu">
{{range .Pages}}
<div class="item {{if eq $.Title .Name}}selected{{end}}" data-url="{{$.RepoLink}}/wiki/{{.URL}}">{{.Name}}</div>
<div class="item {{if eq $.Title .Name}}selected{{end}}" data-url="{{$.RepoLink}}/wiki/{{.URL}}">{{.Name | Sanitize}}</div>
{{end}}
</div>
</div>
@ -50,8 +51,8 @@
</div>
</div>
</div>
<div class="ui header">
{{.title}}
<div class="ui dividing header">
{{$title}}
{{if and .IsRepositoryWriter (not .Repository.IsMirror)}}
<div class="ui right">
<a class="ui small button" href="{{.RepoLink}}/wiki/{{EscapePound .PageURL}}/_edit">{{.i18n.Tr "repo.wiki.edit_page_button"}}</a>
@ -95,7 +96,7 @@
{{.i18n.Tr "repo.wiki.delete_page_button"}}
</div>
<div class="content">
<p>{{.i18n.Tr "repo.wiki.delete_page_notice_1" .title | Safe}}</p>
<p>{{.i18n.Tr "repo.wiki.delete_page_notice_1" $title | Safe}}</p>
</div>
{{template "base/delete_modal_actions" .}}
</div>