Permalink
Browse files
fixed xss issue in text preview
* reported by Tim / polym
Showing
with
2 additions
and
1 deletion.
-
+2
−1
transfersh-server/handlers.go
|
|
@@ -34,6 +34,7 @@ import ( |
|
|
"compress/gzip"
|
|
|
"errors"
|
|
|
"fmt"
|
|
|
+ "html"
|
|
|
html_template "html/template"
|
|
|
"io"
|
|
|
"io/ioutil"
|
|
|
@@ -102,7 +103,7 @@ func previewHandler(w http.ResponseWriter, r *http.Request) { |
|
|
output := blackfriday.MarkdownCommon(data)
|
|
|
content = html_template.HTML(output)
|
|
|
} else if strings.HasPrefix(contentType, "text/plain") {
|
|
|
- content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", data))
|
|
|
+ content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", html.EscapeString(string(data))))
|
|
|
} else {
|
|
|
templatePath = "download.sandbox.html"
|
|
|
}
|
|
|
|
0 comments on commit
98399c9