v/transfer.sh
1
0
Fork 0
mirror of https://github.com/dutchcoders/transfer.sh.git synced 2020-11-18 19:53:40 -08:00
Code Issues Releases Wiki Activity

Fix XSS in markdown preview

Browse Source
This commit is contained in:
Andrea Spacca 2018-07-01 14:53:28 +02:00
parent 3b60ba16cd
commit d4baaba35f
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
server/handlers.go
View File

@ -133,7 +133,8 @@ func (s *Server) previewHandler(w http.ResponseWriter, r *http.Request) {
} }
if strings.HasPrefix(contentType, "text/x-markdown") || strings.HasPrefix(contentType, "text/markdown") { if strings.HasPrefix(contentType, "text/x-markdown") || strings.HasPrefix(contentType, "text/markdown") {
output := blackfriday.MarkdownCommon(data) escapedData := html.EscapeString(string(data))
output := blackfriday.MarkdownCommon([]byte(escapedData))
content = html_template.HTML(output) content = html_template.HTML(output)
} else if strings.HasPrefix(contentType, "text/plain") { } else if strings.HasPrefix(contentType, "text/plain") {
content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", html.EscapeString(string(data)))) content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", html.EscapeString(string(data))))