mirror of
https://github.com/go-gitea/gitea
synced 2024-12-22 08:14:12 +01:00
Fixes xss, clickjacking & password autocompletion
This commit is contained in:
parent
ccad2cce32
commit
1e9730a779
5 changed files with 13 additions and 10 deletions
|
@ -6,6 +6,7 @@ package context
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"html"
|
||||
"html/template"
|
||||
"io"
|
||||
"net/http"
|
||||
|
@ -186,8 +187,10 @@ func Contexter() macaron.Handler {
|
|||
}
|
||||
}
|
||||
|
||||
ctx.Data["CsrfToken"] = x.GetToken()
|
||||
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
|
||||
ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
|
||||
|
||||
ctx.Data["CsrfToken"] = html.EscapeString(x.GetToken())
|
||||
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)
|
||||
log.Debug("Session ID: %s", sess.ID())
|
||||
log.Debug("CSRF Token: %v", ctx.Data["CsrfToken"])
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
{{if .IsResetForm}}
|
||||
<div class="required inline field {{if .Err_Password}}error{{end}}">
|
||||
<label for="password">{{.i18n.Tr "password"}}</label>
|
||||
<input id="password" name="password" type="password" value="{{.password}}" autofocus required>
|
||||
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" autofocus required>
|
||||
</div>
|
||||
<div class="ui divider"></div>
|
||||
<div class="inline field">
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
</div>
|
||||
<div class="required inline field {{if .Err_Password}}error{{end}}">
|
||||
<label for="password">{{.i18n.Tr "password"}}</label>
|
||||
<input id="password" name="password" type="password" value="{{.password}}" required>
|
||||
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" required>
|
||||
</div>
|
||||
<div class="inline field">
|
||||
<label></label>
|
||||
|
|
|
@ -22,11 +22,11 @@
|
|||
</div>
|
||||
<div class="required inline field {{if .Err_Password}}error{{end}}">
|
||||
<label for="password">{{.i18n.Tr "password"}}</label>
|
||||
<input id="password" name="password" type="password" value="{{.password}}" required>
|
||||
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" required>
|
||||
</div>
|
||||
<div class="required inline field {{if .Err_Password}}error{{end}}">
|
||||
<label for="retype">{{.i18n.Tr "re_type"}}</label>
|
||||
<input id="retype" name="retype" type="password" value="{{.retype}}" required>
|
||||
<input id="retype" name="retype" type="password" value="{{.retype}}" autocomplete="off" required>
|
||||
</div>
|
||||
{{if .EnableCaptcha}}
|
||||
<div class="inline field">
|
||||
|
|
|
@ -14,15 +14,15 @@
|
|||
{{.CsrfTokenHtml}}
|
||||
<div class="required field {{if .Err_OldPassword}}error{{end}}">
|
||||
<label for="old_password">{{.i18n.Tr "settings.old_password"}}</label>
|
||||
<input id="old_password" name="old_password" type="password" autofocus required>
|
||||
<input id="old_password" name="old_password" type="password" autocomplete="off" autofocus required>
|
||||
</div>
|
||||
<div class="required field {{if .Err_Password}}error{{end}}">
|
||||
<label for="password">{{.i18n.Tr "settings.new_password"}}</label>
|
||||
<input id="password" name="password" type="password" required>
|
||||
<input id="password" name="password" type="password" autocomplete="off" required>
|
||||
</div>
|
||||
<div class="required field {{if .Err_Password}}error{{end}}">
|
||||
<label for="retype">{{.i18n.Tr "settings.retype_new_password"}}</label>
|
||||
<input id="retype" name="retype" type="password" required>
|
||||
<input id="retype" name="retype" type="password" autocomplete="off" required>
|
||||
</div>
|
||||
|
||||
<div class="field">
|
||||
|
@ -33,7 +33,7 @@
|
|||
<div class="ui info message">
|
||||
<p class="text left">{{$.i18n.Tr "settings.password_change_disabled"}}</p>
|
||||
</div>
|
||||
{{end}}
|
||||
{{end}}
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
|
Loading…
Reference in a new issue