feat: more escaping, tighter security
This commit is contained in:
parent
6f86cbce6e
commit
10e7c89e96
@ -1,3 +1,3 @@
|
|||||||
package config
|
package config
|
||||||
|
|
||||||
var Version = "1.3"
|
var Version = "1.3.1"
|
||||||
|
1
main.go
1
main.go
@ -35,6 +35,7 @@ func main() {
|
|||||||
r.Static("/static", "./public")
|
r.Static("/static", "./public")
|
||||||
|
|
||||||
r.Use(gin.Recovery())
|
r.Use(gin.Recovery())
|
||||||
|
r.Use(middleware.XssPreventionHeaders())
|
||||||
r.Use(middleware.NoCacheMiddleware())
|
r.Use(middleware.NoCacheMiddleware())
|
||||||
r.Use(middleware.OptionsMiddleware())
|
r.Use(middleware.OptionsMiddleware())
|
||||||
r.Use(middleware.Ratelimit())
|
r.Use(middleware.Ratelimit())
|
||||||
|
12
src/middleware/xssHeaders.go
Normal file
12
src/middleware/xssHeaders.go
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
package middleware
|
||||||
|
|
||||||
|
import "github.com/gin-gonic/gin"
|
||||||
|
|
||||||
|
func XssPreventionHeaders() gin.HandlerFunc {
|
||||||
|
return func(c *gin.Context) {
|
||||||
|
c.Header("X-Content-Type-Options", "nosniff")
|
||||||
|
c.Header("X-Frame-Options", "DENY")
|
||||||
|
c.Header("X-XSS-Protection", "1; mode=block")
|
||||||
|
c.Next()
|
||||||
|
}
|
||||||
|
}
|
@ -3,6 +3,7 @@ package routes
|
|||||||
import (
|
import (
|
||||||
"anonymousoverflow/src/utils"
|
"anonymousoverflow/src/utils"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"html"
|
||||||
"html/template"
|
"html/template"
|
||||||
"os"
|
"os"
|
||||||
"regexp"
|
"regexp"
|
||||||
@ -119,7 +120,7 @@ func ViewQuestion(c *gin.Context) {
|
|||||||
answerBody := answerCell.Find("div.s-prose")
|
answerBody := answerCell.Find("div.s-prose")
|
||||||
answerBodyHTML, _ := answerBody.Html()
|
answerBodyHTML, _ := answerBody.Html()
|
||||||
|
|
||||||
voteCount := voteCell.Find("div.js-vote-count").Text()
|
voteCount := html.EscapeString(voteCell.Find("div.js-vote-count").Text())
|
||||||
|
|
||||||
if s.HasClass("accepted-answer") {
|
if s.HasClass("accepted-answer") {
|
||||||
// add <div class="answer-meta accepted">Accepted Answer</div> to the top of the answer
|
// add <div class="answer-meta accepted">Accepted Answer</div> to the top of the answer
|
||||||
@ -150,9 +151,9 @@ func ViewQuestion(c *gin.Context) {
|
|||||||
|
|
||||||
answerAuthor := answerAuthorDetails.Find("a").First()
|
answerAuthor := answerAuthorDetails.Find("a").First()
|
||||||
|
|
||||||
answerAuthorURL = answerAuthor.AttrOr("href", "")
|
answerAuthorURL = html.EscapeString(answerAuthor.AttrOr("href", ""))
|
||||||
answerAuthorName = answerAuthor.Text()
|
answerAuthorName = html.EscapeString(answerAuthor.Text())
|
||||||
answerTimestamp = s.Find("span.relativetime").Text()
|
answerTimestamp = html.EscapeString(s.Find("span.relativetime").Text())
|
||||||
})
|
})
|
||||||
|
|
||||||
// append <div class="answer-author">Answered %s by %s</div> to the bottom of the answer
|
// append <div class="answer-author">Answered %s by %s</div> to the bottom of the answer
|
||||||
|
@ -2,6 +2,7 @@ package utils
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"html"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/PuerkitoBio/goquery"
|
"github.com/PuerkitoBio/goquery"
|
||||||
@ -38,12 +39,12 @@ func FindAndReturnComments(inHtml string, postLayout *goquery.Selection) (outHtm
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
commentAuthorURL = commentAuthor.AttrOr("href", "")
|
commentAuthorURL = html.EscapeString(commentAuthor.AttrOr("href", ""))
|
||||||
}
|
}
|
||||||
|
|
||||||
commentTimestamp := commentBody.Find("span.relativetime-clean").Text()
|
commentTimestamp := html.EscapeString(commentBody.Find("span.relativetime-clean").Text())
|
||||||
|
|
||||||
comment := fmt.Sprintf(`<div class="comment-parent"><div class="comment"><div class="comment-body">%s</div><div class="comment-author">Commented %s by <a href="https://stackoverflow.com%s" target="_blank" rel="noopener noreferrer">%s</a>.</div></div></div>`, commentCopy, commentTimestamp, commentAuthorURL, commentAuthor.Text())
|
comment := fmt.Sprintf(`<div class="comment-parent"><div class="comment"><div class="comment-body">%s</div><div class="comment-author">Commented %s by <a href="https://stackoverflow.com%s" target="_blank" rel="noopener noreferrer">%s</a>.</div></div></div>`, commentCopy, commentTimestamp, commentAuthorURL, html.EscapeString(commentAuthor.Text()))
|
||||||
|
|
||||||
comments = append(comments, comment)
|
comments = append(comments, comment)
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user