Fixes xss, clickjacking & password autocompletion

author: Bwko <bouwko@gmail.com> 2016-11-29 22:49:06 +0100
committer: Bwko <bouwko@gmail.com> 2016-11-29 22:49:06 +0100
commit: 1e9730a779409e78ce8df7270cf264ad4f0ec2c4 (patch)
tree: c473997ea32f5932e2b7c4187a4c619cd160889c /modules/context
parent: ccad2cce32c5bc0b66a525cfbb2b9b67c6cd956b (diff)
download: gitea-1e9730a779409e78ce8df7270cf264ad4f0ec2c4.tar.gz
gitea-1e9730a779409e78ce8df7270cf264ad4f0ec2c4.zip
1 files changed, 5 insertions, 2 deletions
diff --git a/modules/context/context.go b/modules/context/context.go
index 57a9195306..a77c1dc630 100644
--- a/modules/context/context.go
+++ b/modules/context/context.go
@@ -6,6 +6,7 @@ package context
 
 import (
 	"fmt"
+	"html"
 	"html/template"
 	"io"
 	"net/http"
@@ -186,8 +187,10 @@ func Contexter() macaron.Handler {
 			}
 		}
 
-		ctx.Data["CsrfToken"] = x.GetToken()
-		ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
+		ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
+
+		ctx.Data["CsrfToken"] = html.EscapeString(x.GetToken())
+		ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)
 		log.Debug("Session ID: %s", sess.ID())
 		log.Debug("CSRF Token: %v", ctx.Data["CsrfToken"])
author	Bwko <bouwko@gmail.com>	2016-11-29 22:49:06 +0100
committer	Bwko <bouwko@gmail.com>	2016-11-29 22:49:06 +0100
commit	1e9730a779409e78ce8df7270cf264ad4f0ec2c4 (patch)
tree	c473997ea32f5932e2b7c4187a4c619cd160889c /modules/context
parent	ccad2cce32c5bc0b66a525cfbb2b9b67c6cd956b (diff)
download	gitea-1e9730a779409e78ce8df7270cf264ad4f0ec2c4.tar.gz gitea-1e9730a779409e78ce8df7270cf264ad4f0ec2c4.zip