188 for i := 0; i < len(lines); i++ {
189 output.WriteString(fmt.Sprintf(`<span id="L%d">%d</span>`, i+1, i+1))
190 }
191 c.Data["LineNums"] = gotemplate.HTML(output.String())192 }
193
194 if canEnableEditor {
182 for index, line := range lines {
183 output.WriteString(fmt.Sprintf(`<li class="L%d" rel="L%d">%s</li>`, index+1, index+1, gotemplate.HTMLEscapeString(strings.TrimRight(line, "\r"))) + "\n")
184 }
185 c.Data["FileContent"] = gotemplate.HTML(output.String())186
187 output.Reset()
188 for i := 0; i < len(lines); i++ {
138}
139
140func Safe(raw string) template.HTML {
141 return template.HTML(raw)142}
143
144func Str2HTML(raw string) template.HTML {
142}
143
144func Str2HTML(raw string) template.HTML {
145 return template.HTML(markup.Sanitize(raw))146}
147
148// NewLine2br simply replaces "\n" to "<br>".
302
303// TimeSince calculates the time interval and generate user-friendly string.
304func TimeSince(t time.Time, lang string) template.HTML {
305 return template.HTML(fmt.Sprintf(`<span class="time-since" title="%s">%s</span>`, t.Format(conf.Time.FormatLayout), timeSince(t, lang)))306}
307
308// Subtract deals with subtraction of all types of number.
Potential unescaped data in HTML template.
Do not use external values in the template without escaping as it will not auto-escape HTML and could lead to code injection attacks.
Recommendations:
template.JS
: Using JS to include valid but untrusted JSON is not safe. A safe alternative is to parse the JSON with json.Unmarshal and then pass the resultant object into the template, where it will be converted to sanitized JSON when presented in a JavaScript context.template.HTML
: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.template.HTMLAttr
: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.template.URL
: Use of this type presents a security risk: the encapsulated content should come from a trusted source, as it will be included verbatim in the template output.package main
import (
"fmt"
"html/template"
"os"
)
func main() {
// Tainted untrusted JSON
a := `{"name": "untrusted"}`
t := template.Must(template.New("x").Parse(""))
v := map[string]interface{}{
"Body": template.JS(a),
}
if err := t.Execute(os.Stdout, v); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}
package main
import (
"fmt"
"html/template"
"os"
)
func main() {
// We assume that hardcoded template strings are safe as the programmer would
// need to be explicitly shooting themselves in the foot (as below)
t := template.Must(template.New("x").Parse(""))
v := map[string]interface{}{
"Body": template.JS(`{"name": "trusted"}`),
}
if err := t.Execute(os.Stdout, v); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}