diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2019-06-27 13:30:41 -0600 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2019-06-27 13:30:41 -0600 |
commit | 006dc1792f0118552f81e17cfbe2802a3180c352 (patch) | |
tree | 52f17511187bda5054d944ef06e55c026e93c8ea | |
parent | a63cb3e3fdea70991a95c3f0bc8f3866a5aec6ef (diff) |
Use html/template for escaping by default
Allow HTML only with a few specific functions
-rw-r--r-- | modules/caddyhttp/templates/tplcontext.go | 26 | ||||
-rw-r--r-- | modules/caddyhttp/templates/tplcontext_test.go | 2 |
2 files changed, 17 insertions, 11 deletions
diff --git a/modules/caddyhttp/templates/tplcontext.go b/modules/caddyhttp/templates/tplcontext.go index 19bf714..5c5d990 100644 --- a/modules/caddyhttp/templates/tplcontext.go +++ b/modules/caddyhttp/templates/tplcontext.go @@ -3,13 +3,13 @@ package templates import ( "bytes" "fmt" + "html/template" "io" "net" "net/http" "path" "strings" "sync" - "text/template" "github.com/Masterminds/sprig" "github.com/caddyserver/caddy/modules/caddyhttp" @@ -27,7 +27,10 @@ type templateContext struct { } // Include returns the contents of filename relative to the site root. -func (c templateContext) Include(filename string, args ...interface{}) (string, error) { +// Note that included files are NOT escaped, so you should only include +// trusted files. If it is not trusted, be sure to use escaping functions +// in your template. +func (c templateContext) Include(filename string, args ...interface{}) (template.HTML, error) { if c.Root == nil { return "", fmt.Errorf("root file system not specified") } @@ -54,12 +57,14 @@ func (c templateContext) Include(filename string, args ...interface{}) (string, return "", err } - return bodyBuf.String(), nil + return template.HTML(bodyBuf.String()), nil } // HTTPInclude returns the body of a virtual (lightweight) request -// to the given URI on the same server. -func (c templateContext) HTTPInclude(uri string) (string, error) { +// to the given URI on the same server. Note that included bodies +// are NOT escaped, so you should only include trusted resources. +// If it is not trusted, be sure to use escaping functions yourself. +func (c templateContext) HTTPInclude(uri string) (template.HTML, error) { if c.Req.Header.Get(recursionPreventionHeader) == "1" { return "", fmt.Errorf("virtual include cycle") } @@ -87,11 +92,11 @@ func (c templateContext) HTTPInclude(uri string) (string, error) { return "", err } - return buf.String(), nil + return template.HTML(buf.String()), nil } func (c templateContext) executeTemplateInBuffer(tplName string, buf *bytes.Buffer) error { - tpl := template.New(tplName).Funcs(sprig.TxtFuncMap()) + tpl := template.New(tplName).Funcs(sprig.FuncMap()) if len(c.config.Delimiters) == 2 { tpl.Delims(c.config.Delimiters[0], c.config.Delimiters[1]) } @@ -186,9 +191,10 @@ func (c templateContext) StripHTML(s string) string { return buf.String() } -// Markdown renders the markdown body as HTML. -func (c templateContext) Markdown(body string) string { - return string(blackfriday.Run([]byte(body))) +// Markdown renders the markdown body as HTML. The resulting +// HTML is NOT escaped so that it can be rendered as HTML. +func (c templateContext) Markdown(body string) template.HTML { + return template.HTML(blackfriday.Run([]byte(body))) } // ListFiles reads and returns a slice of names from the given diff --git a/modules/caddyhttp/templates/tplcontext_test.go b/modules/caddyhttp/templates/tplcontext_test.go index 88adb5b..9ff7917 100644 --- a/modules/caddyhttp/templates/tplcontext_test.go +++ b/modules/caddyhttp/templates/tplcontext_test.go @@ -40,7 +40,7 @@ func TestMarkdown(t *testing.T) { expect: "<ul>\n<li>str1</li>\n<li>str2</li>\n</ul>\n", }, } { - result := context.Markdown(test.body) + result := string(context.Markdown(test.body)) if result != test.expect { t.Errorf("Test %d: expected '%s' but got '%s'", i, test.expect, result) } |