From 1e9730a779409e78ce8df7270cf264ad4f0ec2c4 Mon Sep 17 00:00:00 2001
From: Bwko <bouwko@gmail.com>
Date: Tue, 29 Nov 2016 22:49:06 +0100
Subject: Fixes xss, clickjacking & password autocompletion

---
 modules/context/context.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'modules/context')

diff --git a/modules/context/context.go b/modules/context/context.go
index 57a9195306..a77c1dc630 100644
--- a/modules/context/context.go
+++ b/modules/context/context.go
@@ -6,6 +6,7 @@ package context
 
 import (
 	"fmt"
+	"html"
 	"html/template"
 	"io"
 	"net/http"
@@ -186,8 +187,10 @@ func Contexter() macaron.Handler {
 			}
 		}
 
-		ctx.Data["CsrfToken"] = x.GetToken()
-		ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
+		ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
+
+		ctx.Data["CsrfToken"] = html.EscapeString(x.GetToken())
+		ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)
 		log.Debug("Session ID: %s", sess.ID())
 		log.Debug("CSRF Token: %v", ctx.Data["CsrfToken"])
 
-- 
cgit v1.2.3