0
0
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2024-12-18 11:44:30 +01:00

Merge pull request #306 from Bwko/Security

Fixes xss, clickjacking & password autocompletion
This commit is contained in:
Matthias Loibl 2016-11-30 08:22:45 +01:00 committed by GitHub
commit 6dc6926abe
5 changed files with 13 additions and 10 deletions

View file

@ -6,6 +6,7 @@ package context
import (
"fmt"
"html"
"html/template"
"io"
"net/http"
@ -186,8 +187,10 @@ func Contexter() macaron.Handler {
}
}
ctx.Data["CsrfToken"] = x.GetToken()
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
ctx.Data["CsrfToken"] = html.EscapeString(x.GetToken())
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)
log.Debug("Session ID: %s", sess.ID())
log.Debug("CSRF Token: %v", ctx.Data["CsrfToken"])

View file

@ -13,7 +13,7 @@
{{if .IsResetForm}}
<div class="required inline field {{if .Err_Password}}error{{end}}">
<label for="password">{{.i18n.Tr "password"}}</label>
<input id="password" name="password" type="password" value="{{.password}}" autofocus required>
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" autofocus required>
</div>
<div class="ui divider"></div>
<div class="inline field">

View file

@ -15,7 +15,7 @@
</div>
<div class="required inline field {{if .Err_Password}}error{{end}}">
<label for="password">{{.i18n.Tr "password"}}</label>
<input id="password" name="password" type="password" value="{{.password}}" required>
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" required>
</div>
<div class="inline field">
<label></label>

View file

@ -22,11 +22,11 @@
</div>
<div class="required inline field {{if .Err_Password}}error{{end}}">
<label for="password">{{.i18n.Tr "password"}}</label>
<input id="password" name="password" type="password" value="{{.password}}" required>
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" required>
</div>
<div class="required inline field {{if .Err_Password}}error{{end}}">
<label for="retype">{{.i18n.Tr "re_type"}}</label>
<input id="retype" name="retype" type="password" value="{{.retype}}" required>
<input id="retype" name="retype" type="password" value="{{.retype}}" autocomplete="off" required>
</div>
{{if .EnableCaptcha}}
<div class="inline field">

View file

@ -14,15 +14,15 @@
{{.CsrfTokenHtml}}
<div class="required field {{if .Err_OldPassword}}error{{end}}">
<label for="old_password">{{.i18n.Tr "settings.old_password"}}</label>
<input id="old_password" name="old_password" type="password" autofocus required>
<input id="old_password" name="old_password" type="password" autocomplete="off" autofocus required>
</div>
<div class="required field {{if .Err_Password}}error{{end}}">
<label for="password">{{.i18n.Tr "settings.new_password"}}</label>
<input id="password" name="password" type="password" required>
<input id="password" name="password" type="password" autocomplete="off" required>
</div>
<div class="required field {{if .Err_Password}}error{{end}}">
<label for="retype">{{.i18n.Tr "settings.retype_new_password"}}</label>
<input id="retype" name="retype" type="password" required>
<input id="retype" name="retype" type="password" autocomplete="off" required>
</div>
<div class="field">