ngn/anonymous_overflow
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Activity

feat: more escaping, tighter security

Browse Source
This commit is contained in:
httpjamesm
2022-12-28 23:56:14 -05:00
parent 6f86cbce6e
commit 10e7c89e96
5 changed files with 23 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/utils/comments.go
View File

@ -2,6 +2,7 @@ package utils
import (
"fmt"
"html"
"strings"
"github.com/PuerkitoBio/goquery"
@ -38,12 +39,12 @@ func FindAndReturnComments(inHtml string, postLayout *goquery.Selection) (outHtm
return
}
commentAuthorURL = commentAuthor.AttrOr("href", "")
commentAuthorURL = html.EscapeString(commentAuthor.AttrOr("href", ""))
}
commentTimestamp := commentBody.Find("span.relativetime-clean").Text()
commentTimestamp := html.EscapeString(commentBody.Find("span.relativetime-clean").Text())
comment := fmt.Sprintf(`<div class="comment-parent"><div class="comment"><div class="comment-body">%s</div><div class="comment-author">Commented %s by <a href="https://stackoverflow.com%s" target="_blank" rel="noopener noreferrer">%s</a>.</div></div></div>`, commentCopy, commentTimestamp, commentAuthorURL, commentAuthor.Text())
comment := fmt.Sprintf(`<div class="comment-parent"><div class="comment"><div class="comment-body">%s</div><div class="comment-author">Commented %s by <a href="https://stackoverflow.com%s" target="_blank" rel="noopener noreferrer">%s</a>.</div></div></div>`, commentCopy, commentTimestamp, commentAuthorURL, html.EscapeString(commentAuthor.Text()))
comments = append(comments, comment)