mirror of
				https://github.com/go-gitea/gitea
				synced 2025-10-26 17:08:25 +00:00 
			
		
		
		
	Security: prevent XSS attach on wiki page
Reported by Miguel Ángel Jimeno.
This commit is contained in:
		
				
					committed by
					
						 Kim "BKC" Carlbäcker
						Kim "BKC" Carlbäcker
					
				
			
			
				
	
			
			
			
						parent
						
							43c94d0a6c
						
					
				
				
					commit
					134f3e6e09
				
			| @@ -15,6 +15,7 @@ import ( | |||||||
| 	"strings" | 	"strings" | ||||||
| 	"time" | 	"time" | ||||||
|  |  | ||||||
|  | 	"github.com/microcosm-cc/bluemonday" | ||||||
| 	"golang.org/x/net/html/charset" | 	"golang.org/x/net/html/charset" | ||||||
| 	"golang.org/x/text/transform" | 	"golang.org/x/text/transform" | ||||||
| 	"gopkg.in/editorconfig/editorconfig-core-go.v1" | 	"gopkg.in/editorconfig/editorconfig-core-go.v1" | ||||||
| @@ -61,6 +62,7 @@ func NewFuncMap() []template.FuncMap { | |||||||
| 		}, | 		}, | ||||||
| 		"AvatarLink":   base.AvatarLink, | 		"AvatarLink":   base.AvatarLink, | ||||||
| 		"Safe":         Safe, | 		"Safe":         Safe, | ||||||
|  | 		"Sanitize":     bluemonday.UGCPolicy().Sanitize, | ||||||
| 		"Str2html":     Str2html, | 		"Str2html":     Str2html, | ||||||
| 		"TimeSince":    base.TimeSince, | 		"TimeSince":    base.TimeSince, | ||||||
| 		"RawTimeSince": base.RawTimeSince, | 		"RawTimeSince": base.RawTimeSince, | ||||||
|   | |||||||
| @@ -1,6 +1,7 @@ | |||||||
| {{template "base/head" .}} | {{template "base/head" .}} | ||||||
| <div class="repository wiki view"> | <div class="repository wiki view"> | ||||||
| 	{{template "repo/header" .}} | 	{{template "repo/header" .}} | ||||||
|  | 	{{ $title := .title | Sanitize}} | ||||||
| 	<div class="ui container"> | 	<div class="ui container"> | ||||||
| 		<div class="ui grid"> | 		<div class="ui grid"> | ||||||
| 			<div class="ui ten wide column"> | 			<div class="ui ten wide column"> | ||||||
| @@ -9,7 +10,7 @@ | |||||||
| 						<div class="ui basic small button"> | 						<div class="ui basic small button"> | ||||||
| 							<span class="text"> | 							<span class="text"> | ||||||
| 								{{.i18n.Tr "repo.wiki.page"}}: | 								{{.i18n.Tr "repo.wiki.page"}}: | ||||||
| 								<strong>{{.title}}</strong> | 								<strong>{{$title}}</strong> | ||||||
| 							</span> | 							</span> | ||||||
| 							<i class="dropdown icon"></i> | 							<i class="dropdown icon"></i> | ||||||
| 						</div> | 						</div> | ||||||
| @@ -20,7 +21,7 @@ | |||||||
| 							</div> | 							</div> | ||||||
| 							<div class="scrolling menu"> | 							<div class="scrolling menu"> | ||||||
| 								{{range .Pages}} | 								{{range .Pages}} | ||||||
| 									<div class="item {{if eq $.Title .Name}}selected{{end}}" data-url="{{$.RepoLink}}/wiki/{{.URL}}">{{.Name}}</div> | 									<div class="item {{if eq $.Title .Name}}selected{{end}}" data-url="{{$.RepoLink}}/wiki/{{.URL}}">{{.Name | Sanitize}}</div> | ||||||
| 								{{end}} | 								{{end}} | ||||||
| 							</div> | 							</div> | ||||||
| 						</div> | 						</div> | ||||||
| @@ -50,8 +51,8 @@ | |||||||
| 				</div> | 				</div> | ||||||
| 			</div> | 			</div> | ||||||
| 		</div> | 		</div> | ||||||
| 		<div class="ui header"> | 		<div class="ui dividing header"> | ||||||
| 			{{.title}} | 			{{$title}} | ||||||
| 			{{if and .IsRepositoryWriter (not .Repository.IsMirror)}} | 			{{if and .IsRepositoryWriter (not .Repository.IsMirror)}} | ||||||
| 				<div class="ui right"> | 				<div class="ui right"> | ||||||
| 					<a class="ui small button" href="{{.RepoLink}}/wiki/{{EscapePound .PageURL}}/_edit">{{.i18n.Tr "repo.wiki.edit_page_button"}}</a> | 					<a class="ui small button" href="{{.RepoLink}}/wiki/{{EscapePound .PageURL}}/_edit">{{.i18n.Tr "repo.wiki.edit_page_button"}}</a> | ||||||
| @@ -95,7 +96,7 @@ | |||||||
| 		{{.i18n.Tr "repo.wiki.delete_page_button"}} | 		{{.i18n.Tr "repo.wiki.delete_page_button"}} | ||||||
| 	</div> | 	</div> | ||||||
| 	<div class="content"> | 	<div class="content"> | ||||||
| 		<p>{{.i18n.Tr "repo.wiki.delete_page_notice_1" .title | Safe}}</p> | 		<p>{{.i18n.Tr "repo.wiki.delete_page_notice_1" $title | Safe}}</p> | ||||||
| 	</div> | 	</div> | ||||||
| 	{{template "base/delete_modal_actions" .}} | 	{{template "base/delete_modal_actions" .}} | ||||||
| </div> | </div> | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user