libretic/transfer.sh
6
0
Fork 0
mirror of https://github.com/dutchcoders/transfer.sh.git synced 2024-11-27 06:30:19 +01:00
Code Issues Projects Releases Packages Wiki Activity

fixed xss issue in text preview

Browse source 
* reported by Tim / polym
This commit is contained in:
Remco 2016-02-19 10:40:26 +01:00
parent 2b58d3041d
commit 98399c91dd
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
transfersh-server/handlers.go
View file

@ -34,6 +34,7 @@ import (
"compress/gzip" "compress/gzip"
"errors" "errors"
"fmt" "fmt"
"html"
html_template "html/template" html_template "html/template"
"io" "io"
"io/ioutil" "io/ioutil"
@ -102,7 +103,7 @@ func previewHandler(w http.ResponseWriter, r *http.Request) {
output := blackfriday.MarkdownCommon(data) output := blackfriday.MarkdownCommon(data)
content = html_template.HTML(output) content = html_template.HTML(output)
} else if strings.HasPrefix(contentType, "text/plain") { } else if strings.HasPrefix(contentType, "text/plain") {
content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", data)) content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", html.EscapeString(string(data))))
} else { } else {
templatePath = "download.sandbox.html" templatePath = "download.sandbox.html"
} }