ngn/anonymous_overflow
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Activity

feat: more escaping, tighter security

Browse Source
This commit is contained in:
httpjamesm 2022-12-28 23:56:14 -05:00
parent 6f86cbce6e
commit 10e7c89e96
5 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config/version.go
View File

@ -1,3 +1,3 @@
package config package config
var Version = "1.3" var Version = "1.3.1"

1
main.go
View File

@ -35,6 +35,7 @@ func main() {
r.Static("/static", "./public") r.Static("/static", "./public")
r.Use(gin.Recovery()) r.Use(gin.Recovery())
r.Use(middleware.XssPreventionHeaders())
r.Use(middleware.NoCacheMiddleware()) r.Use(middleware.NoCacheMiddleware())
r.Use(middleware.OptionsMiddleware()) r.Use(middleware.OptionsMiddleware())
r.Use(middleware.Ratelimit()) r.Use(middleware.Ratelimit())

12
src/middleware/xssHeaders.go Normal file
View File

@ -0,0 +1,12 @@
package middleware
import "github.com/gin-gonic/gin"
func XssPreventionHeaders() gin.HandlerFunc {
return func(c *gin.Context) {
c.Header("X-Content-Type-Options", "nosniff")
c.Header("X-Frame-Options", "DENY")
c.Header("X-XSS-Protection", "1; mode=block")
c.Next()
}
}

9
src/routes/question.go
View File

@ -3,6 +3,7 @@ package routes
import ( import (
"anonymousoverflow/src/utils" "anonymousoverflow/src/utils"
"fmt" "fmt"
"html"
"html/template" "html/template"
"os" "os"
"regexp" "regexp"
@ -119,7 +120,7 @@ func ViewQuestion(c *gin.Context) {
answerBody := answerCell.Find("div.s-prose") answerBody := answerCell.Find("div.s-prose")
answerBodyHTML, _ := answerBody.Html() answerBodyHTML, _ := answerBody.Html()
voteCount := voteCell.Find("div.js-vote-count").Text() voteCount := html.EscapeString(voteCell.Find("div.js-vote-count").Text())
if s.HasClass("accepted-answer") { if s.HasClass("accepted-answer") {
// add <div class="answer-meta accepted">Accepted Answer</div> to the top of the answer // add <div class="answer-meta accepted">Accepted Answer</div> to the top of the answer
@ -150,9 +151,9 @@ func ViewQuestion(c *gin.Context) {
answerAuthor := answerAuthorDetails.Find("a").First() answerAuthor := answerAuthorDetails.Find("a").First()
answerAuthorURL = answerAuthor.AttrOr("href", "") answerAuthorURL = html.EscapeString(answerAuthor.AttrOr("href", ""))
answerAuthorName = answerAuthor.Text() answerAuthorName = html.EscapeString(answerAuthor.Text())
answerTimestamp = s.Find("span.relativetime").Text() answerTimestamp = html.EscapeString(s.Find("span.relativetime").Text())
}) })
// append <div class="answer-author">Answered %s by %s</div> to the bottom of the answer // append <div class="answer-author">Answered %s by %s</div> to the bottom of the answer

7
src/utils/comments.go
View File

@ -2,6 +2,7 @@ package utils
import ( import (
"fmt" "fmt"
"html"
"strings" "strings"
"github.com/PuerkitoBio/goquery" "github.com/PuerkitoBio/goquery"
@ -38,12 +39,12 @@ func FindAndReturnComments(inHtml string, postLayout *goquery.Selection) (outHtm
return return
} }
commentAuthorURL = commentAuthor.AttrOr("href", "") commentAuthorURL = html.EscapeString(commentAuthor.AttrOr("href", ""))
} }
commentTimestamp := commentBody.Find("span.relativetime-clean").Text() commentTimestamp := html.EscapeString(commentBody.Find("span.relativetime-clean").Text())
comment := fmt.Sprintf(`<div class="comment-parent"><div class="comment"><div class="comment-body">%s</div><div class="comment-author">Commented %s by <a href="https://stackoverflow.com%s" target="_blank" rel="noopener noreferrer">%s</a>.</div></div></div>`, commentCopy, commentTimestamp, commentAuthorURL, commentAuthor.Text()) comment := fmt.Sprintf(`<div class="comment-parent"><div class="comment"><div class="comment-body">%s</div><div class="comment-author">Commented %s by <a href="https://stackoverflow.com%s" target="_blank" rel="noopener noreferrer">%s</a>.</div></div></div>`, commentCopy, commentTimestamp, commentAuthorURL, html.EscapeString(commentAuthor.Text()))
comments = append(comments, comment) comments = append(comments, comment)