summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2019-06-27 13:30:41 -0600
committerMatthew Holt <mholt@users.noreply.github.com>2019-06-27 13:30:41 -0600
commit006dc1792f0118552f81e17cfbe2802a3180c352 (patch)
tree52f17511187bda5054d944ef06e55c026e93c8ea /modules
parenta63cb3e3fdea70991a95c3f0bc8f3866a5aec6ef (diff)
Use html/template for escaping by default
Allow HTML only with a few specific functions
Diffstat (limited to 'modules')
-rw-r--r--modules/caddyhttp/templates/tplcontext.go26
-rw-r--r--modules/caddyhttp/templates/tplcontext_test.go2
2 files changed, 17 insertions, 11 deletions
diff --git a/modules/caddyhttp/templates/tplcontext.go b/modules/caddyhttp/templates/tplcontext.go
index 19bf714..5c5d990 100644
--- a/modules/caddyhttp/templates/tplcontext.go
+++ b/modules/caddyhttp/templates/tplcontext.go
@@ -3,13 +3,13 @@ package templates
import (
"bytes"
"fmt"
+ "html/template"
"io"
"net"
"net/http"
"path"
"strings"
"sync"
- "text/template"
"github.com/Masterminds/sprig"
"github.com/caddyserver/caddy/modules/caddyhttp"
@@ -27,7 +27,10 @@ type templateContext struct {
}
// Include returns the contents of filename relative to the site root.
-func (c templateContext) Include(filename string, args ...interface{}) (string, error) {
+// Note that included files are NOT escaped, so you should only include
+// trusted files. If it is not trusted, be sure to use escaping functions
+// in your template.
+func (c templateContext) Include(filename string, args ...interface{}) (template.HTML, error) {
if c.Root == nil {
return "", fmt.Errorf("root file system not specified")
}
@@ -54,12 +57,14 @@ func (c templateContext) Include(filename string, args ...interface{}) (string,
return "", err
}
- return bodyBuf.String(), nil
+ return template.HTML(bodyBuf.String()), nil
}
// HTTPInclude returns the body of a virtual (lightweight) request
-// to the given URI on the same server.
-func (c templateContext) HTTPInclude(uri string) (string, error) {
+// to the given URI on the same server. Note that included bodies
+// are NOT escaped, so you should only include trusted resources.
+// If it is not trusted, be sure to use escaping functions yourself.
+func (c templateContext) HTTPInclude(uri string) (template.HTML, error) {
if c.Req.Header.Get(recursionPreventionHeader) == "1" {
return "", fmt.Errorf("virtual include cycle")
}
@@ -87,11 +92,11 @@ func (c templateContext) HTTPInclude(uri string) (string, error) {
return "", err
}
- return buf.String(), nil
+ return template.HTML(buf.String()), nil
}
func (c templateContext) executeTemplateInBuffer(tplName string, buf *bytes.Buffer) error {
- tpl := template.New(tplName).Funcs(sprig.TxtFuncMap())
+ tpl := template.New(tplName).Funcs(sprig.FuncMap())
if len(c.config.Delimiters) == 2 {
tpl.Delims(c.config.Delimiters[0], c.config.Delimiters[1])
}
@@ -186,9 +191,10 @@ func (c templateContext) StripHTML(s string) string {
return buf.String()
}
-// Markdown renders the markdown body as HTML.
-func (c templateContext) Markdown(body string) string {
- return string(blackfriday.Run([]byte(body)))
+// Markdown renders the markdown body as HTML. The resulting
+// HTML is NOT escaped so that it can be rendered as HTML.
+func (c templateContext) Markdown(body string) template.HTML {
+ return template.HTML(blackfriday.Run([]byte(body)))
}
// ListFiles reads and returns a slice of names from the given
diff --git a/modules/caddyhttp/templates/tplcontext_test.go b/modules/caddyhttp/templates/tplcontext_test.go
index 88adb5b..9ff7917 100644
--- a/modules/caddyhttp/templates/tplcontext_test.go
+++ b/modules/caddyhttp/templates/tplcontext_test.go
@@ -40,7 +40,7 @@ func TestMarkdown(t *testing.T) {
expect: "<ul>\n<li>str1</li>\n<li>str2</li>\n</ul>\n",
},
} {
- result := context.Markdown(test.body)
+ result := string(context.Markdown(test.body))
if result != test.expect {
t.Errorf("Test %d: expected '%s' but got '%s'", i, test.expect, result)
}