From 872dc998ef70e55ab7f3f2d419a16e46b77e28de Mon Sep 17 00:00:00 2001 From: Robert Willert Date: Thu, 19 Dec 2024 22:10:50 +0100 Subject: [PATCH] escape html special chars --- custom/js/helper.js | 40 +++++++++++++++++++++++++--------------- router/router.go | 2 +- 2 files changed, 26 insertions(+), 16 deletions(-) diff --git a/custom/js/helper.js b/custom/js/helper.js index 5b43272..0555922 100644 --- a/custom/js/helper.js +++ b/custom/js/helper.js @@ -1,3 +1,13 @@ +function escapeHtml(unsafe) +{ + return unsafe + .replace(/&/g, "&") + .replace(//g, ">") + .replace(/"/g, """) + .replace(/'/g, "'"); + } + function renderClientList(data) { $.each(data, function(index, obj) { // render telegram button @@ -6,13 +16,13 @@ function renderClientList(data) { telegramButton = `
+ data-clientname="${escapeHtml(obj.Client.name)}">Telegram
` } let telegramHtml = ""; if (obj.Client.telegram_userid && obj.Client.telegram_userid.length > 0) { - telegramHtml = `` + telegramHtml = `` } // render client status css tag style @@ -24,13 +34,13 @@ function renderClientList(data) { // render client allocated ip addresses let allocatedIpsHtml = ""; $.each(obj.Client.allocated_ips, function(index, obj) { - allocatedIpsHtml += `${obj} `; + allocatedIpsHtml += `${escapeHtml(obj)} `; }) // render client allowed ip addresses let allowedIpsHtml = ""; $.each(obj.Client.allowed_ips, function(index, obj) { - allowedIpsHtml += `${obj} `; + allowedIpsHtml += `${escapeHtml(obj)} `; }) let subnetRangesString = ""; @@ -40,7 +50,7 @@ function renderClientList(data) { let additionalNotesHtml = ""; if (obj.Client.additional_notes && obj.Client.additional_notes.length > 0) { - additionalNotesHtml = `` + additionalNotesHtml = `` } // render client html content @@ -56,12 +66,12 @@ function renderClientList(data) {
+ data-clientname="${escapeHtml(obj.Client.name)}" ${obj.QRCode != "" ? '' : ' disabled'}>QR code
+ data-clientname="${escapeHtml(obj.Client.name)}">Email
${telegramButton}
@@ -72,22 +82,22 @@ function renderClientList(data) {
- ${obj.Client.name} - - + ${escapeHtml(obj.Client.name)} + + ${telegramHtml} ${additionalNotesHtml} - ${obj.Client.email} + ${escapeHtml(obj.Client.email)} ${prettyDateTime(obj.Client.created_at)} @@ -95,7 +105,7 @@ function renderClientList(data) { ${obj.Client.use_server_dns ? 'DNS enabled' : 'DNS disabled'} - ${obj.Client.additional_notes} + ${escapeHtml(obj.Client.additional_notes)} IP Allocation` + allocatedIpsHtml + `Allowed IPs` diff --git a/router/router.go b/router/router.go index 59d352e..25dafd8 100644 --- a/router/router.go +++ b/router/router.go @@ -2,11 +2,11 @@ package router import ( "errors" + "html/template" "io" "io/fs" "reflect" "strings" - "text/template" "github.com/gorilla/sessions" "github.com/labstack/echo-contrib/session"