mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-10-31 22:58:59 +01:00
Security: prevent XSS attach on wiki page (#955)
Reported by Miguel Ángel Jimeno.
This commit is contained in:
Lunny Xiao
GitHub
parent
ab4eb0daf9
commit
91836614cd
2 changed files with 7 additions and 4 deletions
|
|
@ -15,6 +15,7 @@ import (
|
|||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/microcosm-cc/bluemonday"
|
||||
"golang.org/x/net/html/charset"
|
||||
"golang.org/x/text/transform"
|
||||
"gopkg.in/editorconfig/editorconfig-core-go.v1"
|
||||
|
|
@ -61,6 +62,7 @@ func NewFuncMap() []template.FuncMap {
|
|||
},
|
||||
"AvatarLink": base.AvatarLink,
|
||||
"Safe": Safe,
|
||||
"Sanitize": bluemonday.UGCPolicy().Sanitize,
|
||||
"Str2html": Str2html,
|
||||
"TimeSince": base.TimeSince,
|
||||
"RawTimeSince": base.RawTimeSince,
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{{template "base/head" .}}
|
||||
<div class="repository wiki view">
|
||||
{{template "repo/header" .}}
|
||||
{{ $title := .title | Sanitize}}
|
||||
<div class="ui container">
|
||||
<div class="ui grid">
|
||||
<div class="ui ten wide column">
|
||||
|
|
@ -9,7 +10,7 @@
|
|||
<div class="ui basic small button">
|
||||
<span class="text">
|
||||
{{.i18n.Tr "repo.wiki.page"}}:
|
||||
<strong>{{.title}}</strong>
|
||||
<strong>{{$title}}</strong>
|
||||
</span>
|
||||
<i class="dropdown icon"></i>
|
||||
</div>
|
||||
|
|
@ -20,7 +21,7 @@
|
|||
</div>
|
||||
<div class="scrolling menu">
|
||||
{{range .Pages}}
|
||||
<div class="item {{if eq $.Title .Name}}selected{{end}}" data-url="{{$.RepoLink}}/wiki/{{.URL}}">{{.Name}}</div>
|
||||
<div class="item {{if eq $.Title .Name}}selected{{end}}" data-url="{{$.RepoLink}}/wiki/{{.URL}}">{{.Name | Sanitize}}</div>
|
||||
{{end}}
|
||||
</div>
|
||||
</div>
|
||||
|
|
@ -51,7 +52,7 @@
|
|||
</div>
|
||||
</div>
|
||||
<div class="ui dividing header">
|
||||
{{.title}}
|
||||
{{$title}}
|
||||
{{if and .IsRepositoryWriter (not .Repository.IsMirror)}}
|
||||
<div class="ui right">
|
||||
<a class="ui small button" href="{{.RepoLink}}/wiki/{{EscapePound .PageURL}}/_edit">{{.i18n.Tr "repo.wiki.edit_page_button"}}</a>
|
||||
|
|
@ -76,7 +77,7 @@
|
|||
{{.i18n.Tr "repo.wiki.delete_page_button"}}
|
||||
</div>
|
||||
<div class="content">
|
||||
<p>{{.i18n.Tr "repo.wiki.delete_page_notice_1" .title | Safe}}</p>
|
||||
<p>{{.i18n.Tr "repo.wiki.delete_page_notice_1" $title | Safe}}</p>
|
||||
</div>
|
||||
{{template "base/delete_modal_actions" .}}
|
||||
</div>
|
||||
|
|
|
|||
Loading…
Reference in a new issue