Browse Source

Security: prevent XSS attach on wiki page

Reported by Miguel Ángel Jimeno.
Unknwon 2 years ago
parent
commit
134f3e6e09
2 changed files with 8 additions and 5 deletions
  1. 2 0
      modules/templates/helper.go
  2. 6 5
      templates/repo/wiki/view.tmpl

+ 2 - 0
modules/templates/helper.go

@@ -15,6 +15,7 @@ import (
15 15
 	"strings"
16 16
 	"time"
17 17
 
18
+	"github.com/microcosm-cc/bluemonday"
18 19
 	"golang.org/x/net/html/charset"
19 20
 	"golang.org/x/text/transform"
20 21
 	"gopkg.in/editorconfig/editorconfig-core-go.v1"
@@ -61,6 +62,7 @@ func NewFuncMap() []template.FuncMap {
61 62
 		},
62 63
 		"AvatarLink":   base.AvatarLink,
63 64
 		"Safe":         Safe,
65
+		"Sanitize":     bluemonday.UGCPolicy().Sanitize,
64 66
 		"Str2html":     Str2html,
65 67
 		"TimeSince":    base.TimeSince,
66 68
 		"RawTimeSince": base.RawTimeSince,

+ 6 - 5
templates/repo/wiki/view.tmpl

@@ -1,6 +1,7 @@
1 1
 {{template "base/head" .}}
2 2
 <div class="repository wiki view">
3 3
 	{{template "repo/header" .}}
4
+	{{ $title := .title | Sanitize}}
4 5
 	<div class="ui container">
5 6
 		<div class="ui grid">
6 7
 			<div class="ui ten wide column">
@@ -9,7 +10,7 @@
9 10
 						<div class="ui basic small button">
10 11
 							<span class="text">
11 12
 								{{.i18n.Tr "repo.wiki.page"}}:
12
-								<strong>{{.title}}</strong>
13
+								<strong>{{$title}}</strong>
13 14
 							</span>
14 15
 							<i class="dropdown icon"></i>
15 16
 						</div>
@@ -20,7 +21,7 @@
20 21
 							</div>
21 22
 							<div class="scrolling menu">
22 23
 								{{range .Pages}}
23
-									<div class="item {{if eq $.Title .Name}}selected{{end}}" data-url="{{$.RepoLink}}/wiki/{{.URL}}">{{.Name}}</div>
24
+									<div class="item {{if eq $.Title .Name}}selected{{end}}" data-url="{{$.RepoLink}}/wiki/{{.URL}}">{{.Name | Sanitize}}</div>
24 25
 								{{end}}
25 26
 							</div>
26 27
 						</div>
@@ -50,8 +51,8 @@
50 51
 				</div>
51 52
 			</div>
52 53
 		</div>
53
-		<div class="ui header">
54
-			{{.title}}
54
+		<div class="ui dividing header">
55
+			{{$title}}
55 56
 			{{if and .IsRepositoryWriter (not .Repository.IsMirror)}}
56 57
 				<div class="ui right">
57 58
 					<a class="ui small button" href="{{.RepoLink}}/wiki/{{EscapePound .PageURL}}/_edit">{{.i18n.Tr "repo.wiki.edit_page_button"}}</a>
@@ -95,7 +96,7 @@
95 96
 		{{.i18n.Tr "repo.wiki.delete_page_button"}}
96 97
 	</div>
97 98
 	<div class="content">
98
-		<p>{{.i18n.Tr "repo.wiki.delete_page_notice_1" .title | Safe}}</p>
99
+		<p>{{.i18n.Tr "repo.wiki.delete_page_notice_1" $title | Safe}}</p>
99 100
 	</div>
100 101
 	{{template "base/delete_modal_actions" .}}
101 102
 </div>