Security: prevent XSS attach on wiki page (#955)

lunny · web-flow · commit 91836614cdf6 · 2017-02-16T17:02:15.000+08:00
Reported by Miguel Ángel Jimeno.
diff --git a/modules/templates/helper.go b/modules/templates/helper.go
@@ -15,6 +15,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/microcosm-cc/bluemonday"
 	"golang.org/x/net/html/charset"
 	"golang.org/x/text/transform"
 	"gopkg.in/editorconfig/editorconfig-core-go.v1"
@@ -61,6 +62,7 @@ func NewFuncMap() []template.FuncMap {
 		},
 		"AvatarLink":   base.AvatarLink,
 		"Safe":         Safe,
+		"Sanitize":     bluemonday.UGCPolicy().Sanitize,
 		"Str2html":     Str2html,
 		"TimeSince":    base.TimeSince,
 		"RawTimeSince": base.RawTimeSince,
diff --git a/templates/repo/wiki/view.tmpl b/templates/repo/wiki/view.tmpl
@@ -1,6 +1,7 @@
 {{template "base/head" .}}
 <div class="repository wiki view">
 	{{template "repo/header" .}}
+	{{ $title := .title | Sanitize}}
 	<div class="ui container">
 		<div class="ui grid">
 			<div class="ui ten wide column">
@@ -9,7 +10,7 @@
 						<div class="ui basic small button">
 							<span class="text">
 								{{.i18n.Tr "repo.wiki.page"}}:
-								<strong>{{.title}}</strong>
+								<strong>{{$title}}</strong>
 							</span>
 							<i class="dropdown icon"></i>
 						</div>
@@ -20,7 +21,7 @@
 							</div>
 							<div class="scrolling menu">
 								{{range .Pages}}
-									<div class="item {{if eq $.Title .Name}}selected{{end}}" data-url="{{$.RepoLink}}/wiki/{{.URL}}">{{.Name}}</div>
+									<div class="item {{if eq $.Title .Name}}selected{{end}}" data-url="{{$.RepoLink}}/wiki/{{.URL}}">{{.Name | Sanitize}}</div>
 								{{end}}
 							</div>
 						</div>
@@ -51,7 +52,7 @@
 			</div>
 		</div>
 		<div class="ui dividing header">
-			{{.title}}
+			{{$title}}
 			{{if and .IsRepositoryWriter (not .Repository.IsMirror)}}
 				<div class="ui right">
 					<a class="ui small button" href="{{.RepoLink}}/wiki/{{EscapePound .PageURL}}/_edit">{{.i18n.Tr "repo.wiki.edit_page_button"}}</a>
@@ -76,7 +77,7 @@
 		{{.i18n.Tr "repo.wiki.delete_page_button"}}
 	</div>
 	<div class="content">
-		<p>{{.i18n.Tr "repo.wiki.delete_page_notice_1" .title | Safe}}</p>
+		<p>{{.i18n.Tr "repo.wiki.delete_page_notice_1" $title | Safe}}</p>
 	</div>
 	{{template "base/delete_modal_actions" .}}
 </div>
