diff options
| author |  Frédéric Guillot <fred@miniflux.net> | 2020-01-02 11:06:57 -0800 |
|---|---|---|
| committer | Frédéric Guillot <fred@miniflux.net> | 2020-01-02 11:20:10 -0800 |
| commit | 4d9956cf658d7a970654ae3baf23ad995e287525 (patch) | |
| tree | 475fc8d39549ec24ad09e0fbc0b206ef0141994c | |
| parent | ac3c936820033f27e32c9a4490f2f33d6ffd6b05 (diff) | |
Make sure external URLs are not encoded incorrectly by Go template engine
| -rw-r--r-- | template/common.go | 10 | ||||
| -rw-r--r-- | template/functions.go | 3 | ||||
| -rw-r--r-- | template/html/choose_subscription.html | 4 | ||||
| -rw-r--r-- | template/html/common/feed_list.html | 2 | ||||
| -rw-r--r-- | template/html/common/item_meta.html | 4 | ||||
| -rw-r--r-- | template/html/entry.html | 6 | ||||
| -rw-r--r-- | template/views.go | 14 |
7 files changed, 23 insertions, 20 deletions
diff --git a/template/common.go b/template/common.go index cb90fe3..1dae0c7 100644 --- a/template/common.go +++ b/template/common.go @@ -44,7 +44,7 @@ var templateCommonMap = map[string]string{ <div class="item-meta"> <ul> <li> - <a href="{{ .SiteURL }}" title="{{ .SiteURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ domain .SiteURL }}</a> + <a href="{{ .SiteURL | safeURL }}" title="{{ .SiteURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ domain .SiteURL }}</a> </li> <li> {{ t "page.feeds.last_check" }} <time datetime="{{ isodate .CheckedAt }}" title="{{ isodate .CheckedAt }}">{{ elapsed $.user.Timezone .CheckedAt }}</time> @@ -99,11 +99,11 @@ var templateCommonMap = map[string]string{ </li> {{ end }} <li> - <a href="{{ .entry.URL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ t "entry.original.label" }}</a> + <a href="{{ .entry.URL | safeURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ t "entry.original.label" }}</a> </li> {{ if .entry.CommentsURL }} <li> - <a href="{{ .entry.CommentsURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a> + <a href="{{ .entry.CommentsURL | safeURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a> </li> {{ end }} <li> @@ -331,8 +331,8 @@ var templateCommonMap = map[string]string{ var templateCommonMapChecksums = map[string]string{ "entry_pagination": "4faa91e2eae150c5e4eab4d258e039dfdd413bab7602f0009360e6d52898e353", - "feed_list": "7b7ea2c7df07d048c83d86237d5b5e41bddce561273c652d9265950093ca261b", - "item_meta": "34deb081a054f2948ad808bdb2c8603d6ab00c58f2f50c4ead0b47ae092888eb", + "feed_list": "db406e7cb81292ce1d974d63f63270384a286848b2e74fe36bf711b4eb5717dd", + "item_meta": "285daae854456d0156967fdbe2834c954f2c772239bb736c88041d49a4a21219", "layout": "f19597d8cd74e17b33826c25b8421f46fef87276f0d95c695bba8f53bb4f95e6", "pagination": "3386e90c6e1230311459e9a484629bc5d5bf39514a75ef2e73bbbc61142f7abb", "settings_menu": "78e5a487ede18610b23db74184dab023170f9e083cc0625bc2c874d1eea1a4ce", diff --git a/template/functions.go b/template/functions.go index 157935d..3b6423f 100644 --- a/template/functions.go +++ b/template/functions.go @@ -48,6 +48,9 @@ func (f *funcMap) Map() template.FuncMap { "route": func(name string, args ...interface{}) string { return route.Path(f.router, name, args...) }, + "safeURL": func(url string) template.URL { + return template.URL(url) + }, "noescape": func(str string) template.HTML { return template.HTML(str) }, diff --git a/template/html/choose_subscription.html b/template/html/choose_subscription.html index ee4a1dc..de33003 100644 --- a/template/html/choose_subscription.html +++ b/template/html/choose_subscription.html @@ -32,8 +32,8 @@ {{ range .subscriptions }} <div class="radio-group"> - <label title="{{ .URL }}"><input type="radio" name="url" value="{{ .URL }}"> {{ .Title }}</label> ({{ .Type }}) - <small title="Type = {{ .Type }}"><a href="{{ .URL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL }}</a></small> + <label title="{{ .URL | safeURL }}"><input type="radio" name="url" value="{{ .URL | safeURL }}"> {{ .Title }}</label> ({{ .Type }}) + <small title="Type = {{ .Type }}"><a href="{{ .URL | safeURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL | safeURL }}</a></small> </div> {{ end }} diff --git a/template/html/common/feed_list.html b/template/html/common/feed_list.html index cb80a1f..8e57ad2 100644 --- a/template/html/common/feed_list.html +++ b/template/html/common/feed_list.html @@ -20,7 +20,7 @@ <div class="item-meta"> <ul> <li> - <a href="{{ .SiteURL }}" title="{{ .SiteURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ domain .SiteURL }}</a> + <a href="{{ .SiteURL | safeURL }}" title="{{ .SiteURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ domain .SiteURL }}</a> </li> <li> {{ t "page.feeds.last_check" }} <time datetime="{{ isodate .CheckedAt }}" title="{{ isodate .CheckedAt }}">{{ elapsed $.user.Timezone .CheckedAt }}</time> diff --git a/template/html/common/item_meta.html b/template/html/common/item_meta.html index ba83da7..1797700 100644 --- a/template/html/common/item_meta.html +++ b/template/html/common/item_meta.html @@ -19,11 +19,11 @@ </li> {{ end }} <li> - <a href="{{ .entry.URL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ t "entry.original.label" }}</a> + <a href="{{ .entry.URL | safeURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ t "entry.original.label" }}</a> </li> {{ if .entry.CommentsURL }} <li> - <a href="{{ .entry.CommentsURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a> + <a href="{{ .entry.CommentsURL | safeURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a> </li> {{ end }} <li> diff --git a/template/html/entry.html b/template/html/entry.html index df5882b..cbf85f6 100644 --- a/template/html/entry.html +++ b/template/html/entry.html @@ -4,7 +4,7 @@ <section class="entry" data-id="{{ .entry.ID }}"> <header class="entry-header"> <h1> - <a href="{{ .entry.URL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .entry.Title }}</a> + <a href="{{ .entry.URL | safeURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .entry.Title }}</a> </h1> <div class="entry-actions"> <ul> @@ -54,7 +54,7 @@ </li> {{ if .entry.CommentsURL }} <li> - <a href="{{ .entry.CommentsURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a> + <a href="{{ .entry.CommentsURL | safeURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a> </li> {{ end }} </ul> @@ -115,7 +115,7 @@ {{ end }} <div class="entry-enclosure-download"> - <a href="{{ .URL }}" title="{{ t "action.download" }}{{ if gt .Size 0 }} - {{ formatFileSize .Size }}{{ end }} ({{ .MimeType }})" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL }}</a> + <a href="{{ .URL | safeURL }}" title="{{ t "action.download" }}{{ if gt .Size 0 }} - {{ formatFileSize .Size }}{{ end }} ({{ .MimeType }})" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL | safeURL }}</a> <small>{{ if gt .Size 0 }} - <strong>{{ formatFileSize .Size }}</strong>{{ end }}</small> </div> </div> diff --git a/template/views.go b/template/views.go index 477b7e5..c4e9b86 100644 --- a/template/views.go +++ b/template/views.go @@ -327,8 +327,8 @@ var templateViewsMap = map[string]string{ {{ range .subscriptions }} <div class="radio-group"> - <label title="{{ .URL }}"><input type="radio" name="url" value="{{ .URL }}"> {{ .Title }}</label> ({{ .Type }}) - <small title="Type = {{ .Type }}"><a href="{{ .URL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL }}</a></small> + <label title="{{ .URL | safeURL }}"><input type="radio" name="url" value="{{ .URL | safeURL }}"> {{ .Title }}</label> ({{ .Type }}) + <small title="Type = {{ .Type }}"><a href="{{ .URL | safeURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL | safeURL }}</a></small> </div> {{ end }} @@ -577,7 +577,7 @@ var templateViewsMap = map[string]string{ <section class="entry" data-id="{{ .entry.ID }}"> <header class="entry-header"> <h1> - <a href="{{ .entry.URL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .entry.Title }}</a> + <a href="{{ .entry.URL | safeURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .entry.Title }}</a> </h1> <div class="entry-actions"> <ul> @@ -627,7 +627,7 @@ var templateViewsMap = map[string]string{ </li> {{ if .entry.CommentsURL }} <li> - <a href="{{ .entry.CommentsURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a> + <a href="{{ .entry.CommentsURL | safeURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a> </li> {{ end }} </ul> @@ -688,7 +688,7 @@ var templateViewsMap = map[string]string{ {{ end }} <div class="entry-enclosure-download"> - <a href="{{ .URL }}" title="{{ t "action.download" }}{{ if gt .Size 0 }} - {{ formatFileSize .Size }}{{ end }} ({{ .MimeType }})" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL }}</a> + <a href="{{ .URL | safeURL }}" title="{{ t "action.download" }}{{ if gt .Size 0 }} - {{ formatFileSize .Size }}{{ end }} ({{ .MimeType }})" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL | safeURL }}</a> <small>{{ if gt .Size 0 }} - <strong>{{ formatFileSize .Size }}</strong>{{ end }}</small> </div> </div> @@ -1356,13 +1356,13 @@ var templateViewsMapChecksums = map[string]string{ "categories": "2c5dd0ed6355bd5acc393bbf6117d20458b5581aab82036008324f6bbbe2af75", "category_entries": "dee7b9cd60c6c46f01dd4289940679df31c1fce28ce4aa7249fa459023e1eeb4", "category_feeds": "527c2ffbc4fcec775071424ba1022ae003525dba53a28cc41f48fb7b30aa984b", - "choose_subscription": "5f21556e6cecfd64b1cff30e22ef313d2f09698cebb03f711cbac8ec7f2c1d04", + "choose_subscription": "26f37a6e1c52cf70a0900dbbbb99f9ee905698ea11b722798093e22166798755", "create_category": "6b22b5ce51abf4e225e23a79f81be09a7fb90acb265e93a8faf9446dff74018d", "create_user": "9b73a55233615e461d1f07d99ad1d4d3b54532588ab960097ba3e090c85aaf3a", "edit_category": "b1c0b38f1b714c5d884edcd61e5b5295a5f1c8b71c469b35391e4dcc97cc6d36", "edit_feed": "34aa0d668b3ea1a1b5fa480c20cebeae729b37010af3bb915d2a9eed73d3b996", "edit_user": "c692db9de1a084c57b93e95a14b041d39bf489846cbb91fc982a62b72b77062a", - "entry": "fc21489367156b0cd71888e6485f47f3146c73f2a28d1ce8d147771b99478038", + "entry": "4258936829a5baf9d5b95d3884add13034105a931ee844ee4c4d3a6f1928f61a", "feed_entries": "9c70b82f55e4b311eff20be1641733612e3c1b406ce8010861e4c417d97b6dcc", "feeds": "fa06cd1e1e3fec79132386972c640a2fe91237f5dba572389d5f45be74545f25", "history_entries": "87e17d39de70eb3fdbc4000326283be610928758eae7924e4b08dcb446f3b6a9", |