aykhans/slash-e
1
0
Fork 0
mirror of https://github.com/aykhans/slash-e.git synced 2025-04-18 21:19:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: escape link text to prevent XSS

Browse Source
This commit is contained in:
boojack 2023-07-24 22:01:32 +08:00 committed by GitHub
parent 66876452e1
commit 6dfccb9509
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
api/v1/redirector.go
View File

@ -3,6 +3,7 @@ package v1
import ( import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"html"
"net/http" "net/http"
"net/url" "net/url"
"strings" "strings"
@ -49,7 +50,7 @@ func (s *APIV1Service) registerRedirectorRoutes(g *echo.Group) {
func redirectToShortcut(c echo.Context, shortcut *store.Shortcut) error { func redirectToShortcut(c echo.Context, shortcut *store.Shortcut) error {
isValidURL := isValidURLString(shortcut.Link) isValidURL := isValidURLString(shortcut.Link)
if shortcut.OpenGraphMetadata == nil { if shortcut.OpenGraphMetadata == nil || (shortcut.OpenGraphMetadata.Title == "" && shortcut.OpenGraphMetadata.Description == "" && shortcut.OpenGraphMetadata.Image == "") {
if isValidURL { if isValidURL {
return c.Redirect(http.StatusSeeOther, shortcut.Link) return c.Redirect(http.StatusSeeOther, shortcut.Link)
} }
@ -63,6 +64,7 @@ func redirectToShortcut(c echo.Context, shortcut *store.Shortcut) error {
fmt.Sprintf(`<meta property="og:title" content="%s" />`, shortcut.OpenGraphMetadata.Title), fmt.Sprintf(`<meta property="og:title" content="%s" />`, shortcut.OpenGraphMetadata.Title),
fmt.Sprintf(`<meta property="og:description" content="%s" />`, shortcut.OpenGraphMetadata.Description), fmt.Sprintf(`<meta property="og:description" content="%s" />`, shortcut.OpenGraphMetadata.Description),
fmt.Sprintf(`<meta property="og:image" content="%s" />`, shortcut.OpenGraphMetadata.Image), fmt.Sprintf(`<meta property="og:image" content="%s" />`, shortcut.OpenGraphMetadata.Image),
`<meta property="og:type" content="website" />`,
// Twitter related metadata. // Twitter related metadata.
fmt.Sprintf(`<meta name="twitter:title" content="%s" />`, shortcut.OpenGraphMetadata.Title), fmt.Sprintf(`<meta name="twitter:title" content="%s" />`, shortcut.OpenGraphMetadata.Title),
fmt.Sprintf(`<meta name="twitter:description" content="%s" />`, shortcut.OpenGraphMetadata.Description), fmt.Sprintf(`<meta name="twitter:description" content="%s" />`, shortcut.OpenGraphMetadata.Description),
@ -76,7 +78,7 @@ func redirectToShortcut(c echo.Context, shortcut *store.Shortcut) error {
if isValidURL { if isValidURL {
body = fmt.Sprintf(`<script>window.location.href = "%s";</script>`, shortcut.Link) body = fmt.Sprintf(`<script>window.location.href = "%s";</script>`, shortcut.Link)
} else { } else {
body = shortcut.Link body = html.EscapeString(shortcut.Link)
} }
htmlString := fmt.Sprintf(htmlTemplate, strings.Join(metadataList, ""), body) htmlString := fmt.Sprintf(htmlTemplate, strings.Join(metadataList, ""), body)
return c.HTML(http.StatusOK, htmlString) return c.HTML(http.StatusOK, htmlString)