Merge remote-tracking branch 'upstream/dev'

Conflicts: models/repo.go
author: evolvedlight <steve@evolvedlight.co.uk> 2014-10-13 20:30:31 +0100
committer: evolvedlight <steve@evolvedlight.co.uk> 2014-10-13 20:30:31 +0100
commit: 8d2a6fc484b540819e211d52b8d54e97269f0918 (patch)
tree: e5bfe7d3937bb2d18ba2fb50ea72514bd5bb4e13 /modules/base/tool.go
parent: 29ac3980ffdb5faa525d77fddc109c9023ebe257 (diff)
parent: 89bd994c836ecc9b6ceb80849f470521e1b15917 (diff)
1 files changed, 27 insertions, 0 deletions
diff --git a/modules/base/tool.go b/modules/base/tool.go
index b4083d09..38fd1e21 100644
--- a/modules/base/tool.go
+++ b/modules/base/tool.go
@@ -14,6 +14,7 @@ import (
 	"hash"
 	"html/template"
 	"math"
+	"regexp"
 	"strings"
 	"time"
 
@@ -446,3 +447,29 @@ func DateFormat(t time.Time, format string) string {
 	format = replacer.Replace(format)
 	return t.Format(format)
 }
+
+type xssFilter struct {
+	reg  *regexp.Regexp
+	repl []byte
+}
+
+var (
+	whiteSpace = []byte(" ")
+	xssFilters = []xssFilter{
+		{regexp.MustCompile(`\ [ONon]\w*=["]*`), whiteSpace},
+		{regexp.MustCompile(`<[SCRIPTscript]{6}`), whiteSpace},
+		{regexp.MustCompile(`=[` + "`" + `'"]*[JAVASCRIPTjavascript \t\0&#x0D;]*:`), whiteSpace},
+	}
+)
+
+// XSS goes through all the XSS filters to make user input content as safe as possible.
+func XSS(in []byte) []byte {
+	for _, filter := range xssFilters {
+		in = filter.reg.ReplaceAll(in, filter.repl)
+	}
+	return in
+}
+
+func XSSString(in string) string {
+	return string(XSS([]byte(in)))
+}
author	evolvedlight <steve@evolvedlight.co.uk>	2014-10-13 20:30:31 +0100
committer	evolvedlight <steve@evolvedlight.co.uk>	2014-10-13 20:30:31 +0100
commit	8d2a6fc484b540819e211d52b8d54e97269f0918 (patch)
tree	e5bfe7d3937bb2d18ba2fb50ea72514bd5bb4e13 /modules/base/tool.go
parent	29ac3980ffdb5faa525d77fddc109c9023ebe257 (diff)
parent	89bd994c836ecc9b6ceb80849f470521e1b15917 (diff)