fixed xss issue in text preview

* reported by Tim / polym
This commit is contained in:
Remco 2016-02-19 10:40:26 +01:00
parent 2b58d3041d
commit 98399c91dd

View file

@ -34,6 +34,7 @@ import (
"compress/gzip" "compress/gzip"
"errors" "errors"
"fmt" "fmt"
"html"
html_template "html/template" html_template "html/template"
"io" "io"
"io/ioutil" "io/ioutil"
@ -102,7 +103,7 @@ func previewHandler(w http.ResponseWriter, r *http.Request) {
output := blackfriday.MarkdownCommon(data) output := blackfriday.MarkdownCommon(data)
content = html_template.HTML(output) content = html_template.HTML(output)
} else if strings.HasPrefix(contentType, "text/plain") { } else if strings.HasPrefix(contentType, "text/plain") {
content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", data)) content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", html.EscapeString(string(data))))
} else { } else {
templatePath = "download.sandbox.html" templatePath = "download.sandbox.html"
} }