MieuxVoter
/
gitea-fork-majority-judgment
mirror of https://github.com/domi41/gitea.git
4
0
Fork 0
Code Issues 8 Releases Wiki Polls Activity

Security: prevent XSS attach on wiki page

Browse Source 
Reported by Miguel Ángel Jimeno.
release/v1.1
Unknwon 7 years ago committed by Kim "BKC" Carlbäcker
parent 43c94d0a6c
commit 134f3e6e09
2 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File

2
modules/templates/helper.go
Unescape View File

@ -15,6 +15,7 @@ import (
"strings"
"time"
"github.com/microcosm-cc/bluemonday"
"golang.org/x/net/html/charset"
"golang.org/x/text/transform"
"gopkg.in/editorconfig/editorconfig-core-go.v1"
@ -61,6 +62,7 @@ func NewFuncMap() []template.FuncMap {
},
"AvatarLink": base.AvatarLink,
"Safe": Safe,
"Sanitize": bluemonday.UGCPolicy().Sanitize,
"Str2html": Str2html,
"TimeSince": base.TimeSince,
"RawTimeSince": base.RawTimeSince,

11
templates/repo/wiki/view.tmpl
Unescape View File

@ -1,6 +1,7 @@
{{template "base/head" .}}
<div class="repository wiki view">
{{template "repo/header" .}}
{{ $title := .title | Sanitize}}
<div class="ui container">
<div class="ui grid">
<div class="ui ten wide column">
@ -9,7 +10,7 @@
<div class="ui basic small button">
<span class="text">
{{.i18n.Tr "repo.wiki.page"}}:
<strong>{{.title}}</strong>
<strong>{{$title}}</strong>
</span>
<i class="dropdown icon"></i>
</div>
@ -20,7 +21,7 @@
</div>
<div class="scrolling menu">
{{range .Pages}}
<div class="item {{if eq $.Title .Name}}selected{{end}}" data-url="{{$.RepoLink}}/wiki/{{.URL}}">{{.Name}}</div>
<div class="item {{if eq $.Title .Name}}selected{{end}}" data-url="{{$.RepoLink}}/wiki/{{.URL}}">{{.Name | Sanitize}}</div>
{{end}}
</div>
</div>
@ -50,8 +51,8 @@
</div>
</div>
</div>
<div class="ui header">
{{.title}}
<div class="ui dividing header">
{{$title}}
{{if and .IsRepositoryWriter (not .Repository.IsMirror)}}
<div class="ui right">
<a class="ui small button" href="{{.RepoLink}}/wiki/{{EscapePound .PageURL}}/_edit">{{.i18n.Tr "repo.wiki.edit_page_button"}}</a>
@ -95,7 +96,7 @@
{{.i18n.Tr "repo.wiki.delete_page_button"}}
</div>
<div class="content">
<p>{{.i18n.Tr "repo.wiki.delete_page_notice_1" .title | Safe}}</p>
<p>{{.i18n.Tr "repo.wiki.delete_page_notice_1" $title | Safe}}</p>
</div>
{{template "base/delete_modal_actions" .}}
</div>

Write Preview
Loading…
Cancel
Save