diff options
| -rw-r--r-- | gogs.go | 2 | ||||
| -rw-r--r-- | pkg/context/context.go | 16 | ||||
| -rw-r--r-- | pkg/template/template.go | 4 | ||||
| -rw-r--r-- | routes/repo/editor.go | 2 | ||||
| -rw-r--r-- | templates/.VERSION | 2 | ||||
| -rw-r--r-- | templates/repo/issue/new_form.tmpl | 2 | ||||
| -rw-r--r-- | templates/repo/settings/protected_branch.tmpl | 4 | ||||
| -rw-r--r-- | templates/repo/wiki/new.tmpl | 2 |
8 files changed, 20 insertions, 14 deletions
@@ -16,7 +16,7 @@ import ( "github.com/gogs/gogs/pkg/setting" ) -const APP_VER = "0.11.67.0928" +const APP_VER = "0.11.68.0928" func init() { setting.AppVer = APP_VER diff --git a/pkg/context/context.go b/pkg/context/context.go index 8b353f61..17a5ec96 100644 --- a/pkg/context/context.go +++ b/pkg/context/context.go @@ -6,7 +6,6 @@ package context import ( "fmt" - "html/template" "io" "net/http" "path" @@ -26,6 +25,7 @@ import ( "github.com/gogs/gogs/pkg/auth" "github.com/gogs/gogs/pkg/form" "github.com/gogs/gogs/pkg/setting" + "github.com/gogs/gogs/pkg/template" ) // Context represents context of a request. @@ -138,10 +138,16 @@ func (c *Context) JSONSuccess(data interface{}) { c.JSON(http.StatusOK, data) } +// Redirect responses redirection wtih given location and status. +// It escapes special characters in the location string. +func (c *Context) Redirect(location string, status ...int) { + c.Context.Redirect(template.EscapePound(location), status...) +} + // SubURLRedirect responses redirection wtih given location and status. // It prepends setting.AppSubURL to the location string. func (c *Context) SubURLRedirect(location string, status ...int) { - c.Redirect(setting.AppSubURL + location) + c.Redirect(setting.AppSubURL+location, status...) } // RenderWithErr used for page has form validation but need to prompt error to users. @@ -227,7 +233,7 @@ func Contexter() macaron.Handler { }, Org: &Organization{}, } - c.Data["Link"] = c.Link + c.Data["Link"] = template.EscapePound(c.Link) c.Data["PageStartTime"] = time.Now() // Quick responses appropriate go-get meta with status 200 @@ -296,13 +302,13 @@ func Contexter() macaron.Handler { // If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid. if c.Req.Method == "POST" && strings.Contains(c.Req.Header.Get("Content-Type"), "multipart/form-data") { if err := c.Req.ParseMultipartForm(setting.AttachmentMaxSize << 20); err != nil && !strings.Contains(err.Error(), "EOF") { // 32MB max size - c.Handle(500, "ParseMultipartForm", err) + c.ServerError("ParseMultipartForm", err) return } } c.Data["CSRFToken"] = x.GetToken() - c.Data["CSRFTokenHTML"] = template.HTML(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`) + c.Data["CSRFTokenHTML"] = template.Safe(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`) log.Trace("Session ID: %s", sess.ID()) log.Trace("CSRF Token: %v", c.Data["CSRFToken"]) diff --git a/pkg/template/template.go b/pkg/template/template.go index ff9921e7..8a85980a 100644 --- a/pkg/template/template.go +++ b/pkg/template/template.go @@ -64,7 +64,7 @@ func NewFuncMap() []template.FuncMap { "AppendAvatarSize": tool.AppendAvatarSize, "Safe": Safe, "Sanitize": bluemonday.UGCPolicy().Sanitize, - "Str2html": Str2html, + "Str2html": Str2HTML, "NewLine2br": NewLine2br, "TimeSince": tool.TimeSince, "RawTimeSince": tool.RawTimeSince, @@ -127,7 +127,7 @@ func Safe(raw string) template.HTML { return template.HTML(raw) } -func Str2html(raw string) template.HTML { +func Str2HTML(raw string) template.HTML { return template.HTML(markup.Sanitize(raw)) } diff --git a/routes/repo/editor.go b/routes/repo/editor.go index f33e2470..67c2be1e 100644 --- a/routes/repo/editor.go +++ b/routes/repo/editor.go @@ -286,7 +286,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) { if f.IsNewBrnach() && c.Repo.PullRequest.Allowed { c.Redirect(c.Repo.PullRequestURL(oldBranchName, f.NewBranchName)) } else { - c.Redirect(c.Repo.RepoLink + "/src/" + branchName + "/" + template.EscapePound(f.TreePath)) + c.Redirect(c.Repo.RepoLink + "/src/" + branchName + "/" + f.TreePath) } } diff --git a/templates/.VERSION b/templates/.VERSION index cc2f02e6..fb9a1afb 100644 --- a/templates/.VERSION +++ b/templates/.VERSION @@ -1 +1 @@ -0.11.67.0928 +0.11.68.0928 diff --git a/templates/repo/issue/new_form.tmpl b/templates/repo/issue/new_form.tmpl index d3f9f710..c2f215e2 100644 --- a/templates/repo/issue/new_form.tmpl +++ b/templates/repo/issue/new_form.tmpl @@ -1,4 +1,4 @@ -<form class="ui comment form grid" action="{{EscapePound .Link}}" method="post"> +<form class="ui comment form grid" action="{{.Link}}" method="post"> {{.CSRFTokenHTML}} {{if .Flash}} <div class="sixteen wide column"> diff --git a/templates/repo/settings/protected_branch.tmpl b/templates/repo/settings/protected_branch.tmpl index 10495718..e9367fe0 100644 --- a/templates/repo/settings/protected_branch.tmpl +++ b/templates/repo/settings/protected_branch.tmpl @@ -11,7 +11,7 @@ </h4> <div class="ui attached segment branch-protection"> <p>{{.i18n.Tr "repo.settings.branch_protection_desc" .Branch.Name | Str2html}}</p> - <form class="ui form" action="{{EscapePound .Link}}" method="post"> + <form class="ui form" action="{{.Link}}" method="post"> {{.CSRFTokenHTML}} <div class="inline field"> <div class="ui checkbox"> @@ -83,4 +83,4 @@ </div> </div> </div> -{{template "base/footer" .}}
\ No newline at end of file +{{template "base/footer" .}} diff --git a/templates/repo/wiki/new.tmpl b/templates/repo/wiki/new.tmpl index 74069758..13ba3b9f 100644 --- a/templates/repo/wiki/new.tmpl +++ b/templates/repo/wiki/new.tmpl @@ -11,7 +11,7 @@ </div> {{end}} </div> - <form class="ui form" action="{{EscapePound .Link}}" method="post"> + <form class="ui form" action="{{.Link}}" method="post"> {{.CSRFTokenHTML}} <input type="hidden" name="old_title" value="{{.old_title}}"> <div class="field {{if .Err_Title}}error{{end}}"> |