Fixes xss, clickjacking & password autocompletiontags/v1.0.0
@@ -6,6 +6,7 @@ package context | |||
import ( | |||
"fmt" | |||
"html" | |||
"html/template" | |||
"io" | |||
"net/http" | |||
@@ -186,8 +187,10 @@ func Contexter() macaron.Handler { | |||
} | |||
} | |||
ctx.Data["CsrfToken"] = x.GetToken() | |||
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`) | |||
ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) | |||
ctx.Data["CsrfToken"] = html.EscapeString(x.GetToken()) | |||
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`) | |||
log.Debug("Session ID: %s", sess.ID()) | |||
log.Debug("CSRF Token: %v", ctx.Data["CsrfToken"]) | |||
@@ -13,7 +13,7 @@ | |||
{{if .IsResetForm}} | |||
<div class="required inline field {{if .Err_Password}}error{{end}}"> | |||
<label for="password">{{.i18n.Tr "password"}}</label> | |||
<input id="password" name="password" type="password" value="{{.password}}" autofocus required> | |||
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" autofocus required> | |||
</div> | |||
<div class="ui divider"></div> | |||
<div class="inline field"> |
@@ -15,7 +15,7 @@ | |||
</div> | |||
<div class="required inline field {{if .Err_Password}}error{{end}}"> | |||
<label for="password">{{.i18n.Tr "password"}}</label> | |||
<input id="password" name="password" type="password" value="{{.password}}" required> | |||
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" required> | |||
</div> | |||
<div class="inline field"> | |||
<label></label> |
@@ -22,11 +22,11 @@ | |||
</div> | |||
<div class="required inline field {{if .Err_Password}}error{{end}}"> | |||
<label for="password">{{.i18n.Tr "password"}}</label> | |||
<input id="password" name="password" type="password" value="{{.password}}" required> | |||
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" required> | |||
</div> | |||
<div class="required inline field {{if .Err_Password}}error{{end}}"> | |||
<label for="retype">{{.i18n.Tr "re_type"}}</label> | |||
<input id="retype" name="retype" type="password" value="{{.retype}}" required> | |||
<input id="retype" name="retype" type="password" value="{{.retype}}" autocomplete="off" required> | |||
</div> | |||
{{if .EnableCaptcha}} | |||
<div class="inline field"> |
@@ -14,15 +14,15 @@ | |||
{{.CsrfTokenHtml}} | |||
<div class="required field {{if .Err_OldPassword}}error{{end}}"> | |||
<label for="old_password">{{.i18n.Tr "settings.old_password"}}</label> | |||
<input id="old_password" name="old_password" type="password" autofocus required> | |||
<input id="old_password" name="old_password" type="password" autocomplete="off" autofocus required> | |||
</div> | |||
<div class="required field {{if .Err_Password}}error{{end}}"> | |||
<label for="password">{{.i18n.Tr "settings.new_password"}}</label> | |||
<input id="password" name="password" type="password" required> | |||
<input id="password" name="password" type="password" autocomplete="off" required> | |||
</div> | |||
<div class="required field {{if .Err_Password}}error{{end}}"> | |||
<label for="retype">{{.i18n.Tr "settings.retype_new_password"}}</label> | |||
<input id="retype" name="retype" type="password" required> | |||
<input id="retype" name="retype" type="password" autocomplete="off" required> | |||
</div> | |||
<div class="field"> | |||
@@ -33,7 +33,7 @@ | |||
<div class="ui info message"> | |||
<p class="text left">{{$.i18n.Tr "settings.password_change_disabled"}}</p> | |||
</div> | |||
{{end}} | |||
{{end}} | |||
</div> | |||
</div> | |||
</div> |