daxi20/bird-lg-go
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

frontend: filter output to prevent XSS

Browse Source
This commit is contained in:
Lan Tian
2021-01-17 01:14:49 +08:00
parent 90e5012840
commit 72946e1113
6 changed files with 24 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
frontend/render.go
View File

@@ -7,6 +7,7 @@ import (
"regexp"
"sort"
"strings"
"text/template"
)
// static options map
@@ -81,6 +82,7 @@ func renderPageTemplate(w http.ResponseWriter, r *http.Request, title string, co
func smartFormatter(s string) string {
var result string
result += "<pre>"
s = template.HTMLEscapeString(s)
for _, line := range strings.Split(s, "\n") {
var lineFormatted string
if strings.HasPrefix(strings.TrimSpace(line), "BGP.as_path:") || strings.HasPrefix(strings.TrimSpace(line), "Neighbor AS:") || strings.HasPrefix(strings.TrimSpace(line), "Local AS:") {
@@ -103,7 +105,7 @@ func summaryTable(data string, serverName string) string {
lines := strings.Split(strings.TrimSpace(data), "\n")
if len(lines) <= 1 {
// Likely backend returned an error message
return "<pre>" + strings.TrimSpace(data) + "</pre>"
return "<pre>" + template.HTMLEscapeString(strings.TrimSpace(data)) + "</pre>"
}
args := TemplateSummary{