Skip to content
Browse files

fixed xss issue in text preview

* reported by Tim / polym
1 parent 2b58d30 commit 98399c91dd86682077cf9542badbf1658fd9a8c1 @nl5887 nl5887 committed
Showing with 2 additions and 1 deletion.
  1. +2 −1 transfersh-server/handlers.go
View
3 transfersh-server/handlers.go
@@ -34,6 +34,7 @@ import (
"compress/gzip"
"errors"
"fmt"
+ "html"
html_template "html/template"
"io"
"io/ioutil"
@@ -102,7 +103,7 @@ func previewHandler(w http.ResponseWriter, r *http.Request) {
output := blackfriday.MarkdownCommon(data)
content = html_template.HTML(output)
} else if strings.HasPrefix(contentType, "text/plain") {
- content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", data))
+ content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", html.EscapeString(string(data))))
} else {
templatePath = "download.sandbox.html"
}

0 comments on commit 98399c9

Please sign in to comment.
Something went wrong with that request. Please try again.