pkg/context: apply EscapePound at context level

Always escape template variable {{.Link}} variable and redirect calls. Relates to #5442
2018-09-28 23:56:45 -04:00 · 2018-09-28 23:56:45 -04:00 · 0d66b1cc1c
parent 1843354d88
commit 0d66b1cc1c
8 changed files with 20 additions and 14 deletions
--- a/gogs.go
+++ b/gogs.go
@ -16,7 +16,7 @@ import (
 	"github.com/gogs/gogs/pkg/setting"
 )

-const APP_VER = "0.11.67.0928"
+const APP_VER = "0.11.68.0928"

 func init() {
 	setting.AppVer = APP_VER
--- a/pkg/context/context.go
+++ b/pkg/context/context.go
@ -6,7 +6,6 @@ package context

 import (
 	"fmt"
-	"html/template"
 	"io"
 	"net/http"
 	"path"
@ -26,6 +25,7 @@ import (
 	"github.com/gogs/gogs/pkg/auth"
 	"github.com/gogs/gogs/pkg/form"
 	"github.com/gogs/gogs/pkg/setting"
+	"github.com/gogs/gogs/pkg/template"
 )

 // Context represents context of a request.
@ -138,10 +138,16 @@ func (c *Context) JSONSuccess(data interface{}) {
 	c.JSON(http.StatusOK, data)
 }

+// Redirect responses redirection wtih given location and status.
+// It escapes special characters in the location string.
+func (c *Context) Redirect(location string, status ...int) {
+	c.Context.Redirect(template.EscapePound(location), status...)
+}
+
 // SubURLRedirect responses redirection wtih given location and status.
 // It prepends setting.AppSubURL to the location string.
 func (c *Context) SubURLRedirect(location string, status ...int) {
-	c.Redirect(setting.AppSubURL + location)
+	c.Redirect(setting.AppSubURL+location, status...)
 }

 // RenderWithErr used for page has form validation but need to prompt error to users.
@ -227,7 +233,7 @@ func Contexter() macaron.Handler {
 			},
 			Org: &Organization{},
 		}
-		c.Data["Link"] = c.Link
+		c.Data["Link"] = template.EscapePound(c.Link)
 		c.Data["PageStartTime"] = time.Now()

 		// Quick responses appropriate go-get meta with status 200
@ -296,13 +302,13 @@ func Contexter() macaron.Handler {
 		// If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
 		if c.Req.Method == "POST" && strings.Contains(c.Req.Header.Get("Content-Type"), "multipart/form-data") {
 			if err := c.Req.ParseMultipartForm(setting.AttachmentMaxSize << 20); err != nil && !strings.Contains(err.Error(), "EOF") { // 32MB max size
-				c.Handle(500, "ParseMultipartForm", err)
+				c.ServerError("ParseMultipartForm", err)
 				return
 			}
 		}

 		c.Data["CSRFToken"] = x.GetToken()
-		c.Data["CSRFTokenHTML"] = template.HTML(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
+		c.Data["CSRFTokenHTML"] = template.Safe(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
 		log.Trace("Session ID: %s", sess.ID())
 		log.Trace("CSRF Token: %v", c.Data["CSRFToken"])

--- a/pkg/template/template.go
+++ b/pkg/template/template.go
@ -64,7 +64,7 @@ func NewFuncMap() []template.FuncMap {
 		"AppendAvatarSize": tool.AppendAvatarSize,
 		"Safe":             Safe,
 		"Sanitize":         bluemonday.UGCPolicy().Sanitize,
-		"Str2html":         Str2html,
+		"Str2html":         Str2HTML,
 		"NewLine2br":       NewLine2br,
 		"TimeSince":        tool.TimeSince,
 		"RawTimeSince":     tool.RawTimeSince,
@ -127,7 +127,7 @@ func Safe(raw string) template.HTML {
 	return template.HTML(raw)
 }

-func Str2html(raw string) template.HTML {
+func Str2HTML(raw string) template.HTML {
 	return template.HTML(markup.Sanitize(raw))
 }

--- a/routes/repo/editor.go
+++ b/routes/repo/editor.go
@ -286,7 +286,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
 	if f.IsNewBrnach() && c.Repo.PullRequest.Allowed {
 		c.Redirect(c.Repo.PullRequestURL(oldBranchName, f.NewBranchName))
 	} else {
-		c.Redirect(c.Repo.RepoLink + "/src/" + branchName + "/" + template.EscapePound(f.TreePath))
+		c.Redirect(c.Repo.RepoLink + "/src/" + branchName + "/" + f.TreePath)
 	}
 }

--- a/templates/.VERSION
+++ b/templates/.VERSION
@ -1 +1 @@
-0.11.67.0928
+0.11.68.0928
--- a/templates/repo/issue/new_form.tmpl
+++ b/templates/repo/issue/new_form.tmpl
@ -1,4 +1,4 @@
-<form class="ui comment form grid" action="{{EscapePound .Link}}" method="post">
+<form class="ui comment form grid" action="{{.Link}}" method="post">
 	{{.CSRFTokenHTML}}
 	{{if .Flash}}
 		<div class="sixteen wide column">
--- a/templates/repo/settings/protected_branch.tmpl
+++ b/templates/repo/settings/protected_branch.tmpl
@ -11,7 +11,7 @@
 				</h4>
 				<div class="ui attached segment branch-protection">
 					<p>{{.i18n.Tr "repo.settings.branch_protection_desc" .Branch.Name | Str2html}}</p>
-					<form class="ui form" action="{{EscapePound .Link}}" method="post">
+					<form class="ui form" action="{{.Link}}" method="post">
 						{{.CSRFTokenHTML}}
 						<div class="inline field">
 							<div class="ui checkbox">
@ -83,4 +83,4 @@
 		</div>
 	</div>
 </div>
-{{template "base/footer" .}}
+{{template "base/footer" .}}
--- a/templates/repo/wiki/new.tmpl
+++ b/templates/repo/wiki/new.tmpl
@ -11,7 +11,7 @@
 				</div>
 			{{end}}
 		</div>
-		<form class="ui form" action="{{EscapePound .Link}}" method="post">
+		<form class="ui form" action="{{.Link}}" method="post">
 			{{.CSRFTokenHTML}}
 			<input type="hidden" name="old_title" value="{{.old_title}}">
 			<div class="field {{if .Err_Title}}error{{end}}">