From 91836614cdf6ae664f5ae85c7c9fcdc70b855b83 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Thu, 16 Feb 2017 17:02:15 +0800 Subject: [PATCH] Security: prevent XSS attach on wiki page (#955) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported by Miguel Ángel Jimeno. --- modules/templates/helper.go | 2 ++ templates/repo/wiki/view.tmpl | 9 +++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/modules/templates/helper.go b/modules/templates/helper.go index c25645539..e844cacd3 100644 --- a/modules/templates/helper.go +++ b/modules/templates/helper.go @@ -15,6 +15,7 @@ import ( "strings" "time" + "github.com/microcosm-cc/bluemonday" "golang.org/x/net/html/charset" "golang.org/x/text/transform" "gopkg.in/editorconfig/editorconfig-core-go.v1" @@ -61,6 +62,7 @@ func NewFuncMap() []template.FuncMap { }, "AvatarLink": base.AvatarLink, "Safe": Safe, + "Sanitize": bluemonday.UGCPolicy().Sanitize, "Str2html": Str2html, "TimeSince": base.TimeSince, "RawTimeSince": base.RawTimeSince, diff --git a/templates/repo/wiki/view.tmpl b/templates/repo/wiki/view.tmpl index b8b0d2702..a8f1b508c 100644 --- a/templates/repo/wiki/view.tmpl +++ b/templates/repo/wiki/view.tmpl @@ -1,6 +1,7 @@ {{template "base/head" .}}
{{template "repo/header" .}} + {{ $title := .title | Sanitize}}
@@ -9,7 +10,7 @@
{{.i18n.Tr "repo.wiki.page"}}: - {{.title}} + {{$title}}
@@ -20,7 +21,7 @@
@@ -51,7 +52,7 @@
- {{.title}} + {{$title}} {{if and .IsRepositoryWriter (not .Repository.IsMirror)}}
{{.i18n.Tr "repo.wiki.edit_page_button"}} @@ -76,7 +77,7 @@ {{.i18n.Tr "repo.wiki.delete_page_button"}}
-

{{.i18n.Tr "repo.wiki.delete_page_notice_1" .title | Safe}}

+

{{.i18n.Tr "repo.wiki.delete_page_notice_1" $title | Safe}}

{{template "base/delete_modal_actions" .}}