diff options
| author | Unknwon <joe2010xtmf@163.com> | 2014-10-04 17:15:22 -0400 |
|---|---|---|
| committer | Unknwon <joe2010xtmf@163.com> | 2014-10-04 17:15:22 -0400 |
| commit | 263d4093260707c6249eecb52ad52a0205e61351 (patch) | |
| tree | 865d01225903e26939e1bc6086a0d40f46f2725c /modules/base/tool.go | |
| parent | 6a79b7653158276c7269bed0e06a8e408786ca4a (diff) | |
| download | gitea-263d4093260707c6249eecb52ad52a0205e61351.tar.gz gitea-263d4093260707c6249eecb52ad52a0205e61351.zip | |
Basic xss prevention
Diffstat (limited to 'modules/base/tool.go')
| -rw-r--r-- | modules/base/tool.go | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/modules/base/tool.go b/modules/base/tool.go index b4083d090f..38fd1e21e7 100644 --- a/modules/base/tool.go +++ b/modules/base/tool.go @@ -14,6 +14,7 @@ import ( "hash" "html/template" "math" + "regexp" "strings" "time" @@ -446,3 +447,29 @@ func DateFormat(t time.Time, format string) string { format = replacer.Replace(format) return t.Format(format) } + +type xssFilter struct { + reg *regexp.Regexp + repl []byte +} + +var ( + whiteSpace = []byte(" ") + xssFilters = []xssFilter{ + {regexp.MustCompile(`\ [ONon]\w*=["]*`), whiteSpace}, + {regexp.MustCompile(`<[SCRIPTscript]{6}`), whiteSpace}, + {regexp.MustCompile(`=[` + "`" + `'"]*[JAVASCRIPTjavascript \t\0
]*:`), whiteSpace}, + } +) + +// XSS goes through all the XSS filters to make user input content as safe as possible. +func XSS(in []byte) []byte { + for _, filter := range xssFilters { + in = filter.reg.ReplaceAll(in, filter.repl) + } + return in +} + +func XSSString(in string) string { + return string(XSS([]byte(in))) +} |