aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorGravatar Frédéric Guillot <fred@miniflux.net>2020-01-02 11:06:57 -0800
committerGravatar Frédéric Guillot <fred@miniflux.net>2020-01-02 11:20:10 -0800
commit4d9956cf658d7a970654ae3baf23ad995e287525 (patch)
tree475fc8d39549ec24ad09e0fbc0b206ef0141994c
parentac3c936820033f27e32c9a4490f2f33d6ffd6b05 (diff)
Make sure external URLs are not encoded incorrectly by Go template engine
-rw-r--r--template/common.go10
-rw-r--r--template/functions.go3
-rw-r--r--template/html/choose_subscription.html4
-rw-r--r--template/html/common/feed_list.html2
-rw-r--r--template/html/common/item_meta.html4
-rw-r--r--template/html/entry.html6
-rw-r--r--template/views.go14
7 files changed, 23 insertions, 20 deletions
diff --git a/template/common.go b/template/common.go
index cb90fe3..1dae0c7 100644
--- a/template/common.go
+++ b/template/common.go
@@ -44,7 +44,7 @@ var templateCommonMap = map[string]string{
<div class="item-meta">
<ul>
<li>
- <a href="{{ .SiteURL }}" title="{{ .SiteURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ domain .SiteURL }}</a>
+ <a href="{{ .SiteURL | safeURL }}" title="{{ .SiteURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ domain .SiteURL }}</a>
</li>
<li>
{{ t "page.feeds.last_check" }} <time datetime="{{ isodate .CheckedAt }}" title="{{ isodate .CheckedAt }}">{{ elapsed $.user.Timezone .CheckedAt }}</time>
@@ -99,11 +99,11 @@ var templateCommonMap = map[string]string{
</li>
{{ end }}
<li>
- <a href="{{ .entry.URL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ t "entry.original.label" }}</a>
+ <a href="{{ .entry.URL | safeURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ t "entry.original.label" }}</a>
</li>
{{ if .entry.CommentsURL }}
<li>
- <a href="{{ .entry.CommentsURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a>
+ <a href="{{ .entry.CommentsURL | safeURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a>
</li>
{{ end }}
<li>
@@ -331,8 +331,8 @@ var templateCommonMap = map[string]string{
var templateCommonMapChecksums = map[string]string{
"entry_pagination": "4faa91e2eae150c5e4eab4d258e039dfdd413bab7602f0009360e6d52898e353",
- "feed_list": "7b7ea2c7df07d048c83d86237d5b5e41bddce561273c652d9265950093ca261b",
- "item_meta": "34deb081a054f2948ad808bdb2c8603d6ab00c58f2f50c4ead0b47ae092888eb",
+ "feed_list": "db406e7cb81292ce1d974d63f63270384a286848b2e74fe36bf711b4eb5717dd",
+ "item_meta": "285daae854456d0156967fdbe2834c954f2c772239bb736c88041d49a4a21219",
"layout": "f19597d8cd74e17b33826c25b8421f46fef87276f0d95c695bba8f53bb4f95e6",
"pagination": "3386e90c6e1230311459e9a484629bc5d5bf39514a75ef2e73bbbc61142f7abb",
"settings_menu": "78e5a487ede18610b23db74184dab023170f9e083cc0625bc2c874d1eea1a4ce",
diff --git a/template/functions.go b/template/functions.go
index 157935d..3b6423f 100644
--- a/template/functions.go
+++ b/template/functions.go
@@ -48,6 +48,9 @@ func (f *funcMap) Map() template.FuncMap {
"route": func(name string, args ...interface{}) string {
return route.Path(f.router, name, args...)
},
+ "safeURL": func(url string) template.URL {
+ return template.URL(url)
+ },
"noescape": func(str string) template.HTML {
return template.HTML(str)
},
diff --git a/template/html/choose_subscription.html b/template/html/choose_subscription.html
index ee4a1dc..de33003 100644
--- a/template/html/choose_subscription.html
+++ b/template/html/choose_subscription.html
@@ -32,8 +32,8 @@
{{ range .subscriptions }}
<div class="radio-group">
- <label title="{{ .URL }}"><input type="radio" name="url" value="{{ .URL }}"> {{ .Title }}</label> ({{ .Type }})
- <small title="Type = {{ .Type }}"><a href="{{ .URL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL }}</a></small>
+ <label title="{{ .URL | safeURL }}"><input type="radio" name="url" value="{{ .URL | safeURL }}"> {{ .Title }}</label> ({{ .Type }})
+ <small title="Type = {{ .Type }}"><a href="{{ .URL | safeURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL | safeURL }}</a></small>
</div>
{{ end }}
diff --git a/template/html/common/feed_list.html b/template/html/common/feed_list.html
index cb80a1f..8e57ad2 100644
--- a/template/html/common/feed_list.html
+++ b/template/html/common/feed_list.html
@@ -20,7 +20,7 @@
<div class="item-meta">
<ul>
<li>
- <a href="{{ .SiteURL }}" title="{{ .SiteURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ domain .SiteURL }}</a>
+ <a href="{{ .SiteURL | safeURL }}" title="{{ .SiteURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ domain .SiteURL }}</a>
</li>
<li>
{{ t "page.feeds.last_check" }} <time datetime="{{ isodate .CheckedAt }}" title="{{ isodate .CheckedAt }}">{{ elapsed $.user.Timezone .CheckedAt }}</time>
diff --git a/template/html/common/item_meta.html b/template/html/common/item_meta.html
index ba83da7..1797700 100644
--- a/template/html/common/item_meta.html
+++ b/template/html/common/item_meta.html
@@ -19,11 +19,11 @@
</li>
{{ end }}
<li>
- <a href="{{ .entry.URL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ t "entry.original.label" }}</a>
+ <a href="{{ .entry.URL | safeURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer" data-original-link="true">{{ t "entry.original.label" }}</a>
</li>
{{ if .entry.CommentsURL }}
<li>
- <a href="{{ .entry.CommentsURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a>
+ <a href="{{ .entry.CommentsURL | safeURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a>
</li>
{{ end }}
<li>
diff --git a/template/html/entry.html b/template/html/entry.html
index df5882b..cbf85f6 100644
--- a/template/html/entry.html
+++ b/template/html/entry.html
@@ -4,7 +4,7 @@
<section class="entry" data-id="{{ .entry.ID }}">
<header class="entry-header">
<h1>
- <a href="{{ .entry.URL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .entry.Title }}</a>
+ <a href="{{ .entry.URL | safeURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .entry.Title }}</a>
</h1>
<div class="entry-actions">
<ul>
@@ -54,7 +54,7 @@
</li>
{{ if .entry.CommentsURL }}
<li>
- <a href="{{ .entry.CommentsURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a>
+ <a href="{{ .entry.CommentsURL | safeURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a>
</li>
{{ end }}
</ul>
@@ -115,7 +115,7 @@
{{ end }}
<div class="entry-enclosure-download">
- <a href="{{ .URL }}" title="{{ t "action.download" }}{{ if gt .Size 0 }} - {{ formatFileSize .Size }}{{ end }} ({{ .MimeType }})" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL }}</a>
+ <a href="{{ .URL | safeURL }}" title="{{ t "action.download" }}{{ if gt .Size 0 }} - {{ formatFileSize .Size }}{{ end }} ({{ .MimeType }})" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL | safeURL }}</a>
<small>{{ if gt .Size 0 }} - <strong>{{ formatFileSize .Size }}</strong>{{ end }}</small>
</div>
</div>
diff --git a/template/views.go b/template/views.go
index 477b7e5..c4e9b86 100644
--- a/template/views.go
+++ b/template/views.go
@@ -327,8 +327,8 @@ var templateViewsMap = map[string]string{
{{ range .subscriptions }}
<div class="radio-group">
- <label title="{{ .URL }}"><input type="radio" name="url" value="{{ .URL }}"> {{ .Title }}</label> ({{ .Type }})
- <small title="Type = {{ .Type }}"><a href="{{ .URL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL }}</a></small>
+ <label title="{{ .URL | safeURL }}"><input type="radio" name="url" value="{{ .URL | safeURL }}"> {{ .Title }}</label> ({{ .Type }})
+ <small title="Type = {{ .Type }}"><a href="{{ .URL | safeURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL | safeURL }}</a></small>
</div>
{{ end }}
@@ -577,7 +577,7 @@ var templateViewsMap = map[string]string{
<section class="entry" data-id="{{ .entry.ID }}">
<header class="entry-header">
<h1>
- <a href="{{ .entry.URL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .entry.Title }}</a>
+ <a href="{{ .entry.URL | safeURL }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .entry.Title }}</a>
</h1>
<div class="entry-actions">
<ul>
@@ -627,7 +627,7 @@ var templateViewsMap = map[string]string{
</li>
{{ if .entry.CommentsURL }}
<li>
- <a href="{{ .entry.CommentsURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a>
+ <a href="{{ .entry.CommentsURL | safeURL }}" title="{{ t "entry.comments.title" }}" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ t "entry.comments.label" }}</a>
</li>
{{ end }}
</ul>
@@ -688,7 +688,7 @@ var templateViewsMap = map[string]string{
{{ end }}
<div class="entry-enclosure-download">
- <a href="{{ .URL }}" title="{{ t "action.download" }}{{ if gt .Size 0 }} - {{ formatFileSize .Size }}{{ end }} ({{ .MimeType }})" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL }}</a>
+ <a href="{{ .URL | safeURL }}" title="{{ t "action.download" }}{{ if gt .Size 0 }} - {{ formatFileSize .Size }}{{ end }} ({{ .MimeType }})" target="_blank" rel="noopener noreferrer" referrerpolicy="no-referrer">{{ .URL | safeURL }}</a>
<small>{{ if gt .Size 0 }} - <strong>{{ formatFileSize .Size }}</strong>{{ end }}</small>
</div>
</div>
@@ -1356,13 +1356,13 @@ var templateViewsMapChecksums = map[string]string{
"categories": "2c5dd0ed6355bd5acc393bbf6117d20458b5581aab82036008324f6bbbe2af75",
"category_entries": "dee7b9cd60c6c46f01dd4289940679df31c1fce28ce4aa7249fa459023e1eeb4",
"category_feeds": "527c2ffbc4fcec775071424ba1022ae003525dba53a28cc41f48fb7b30aa984b",
- "choose_subscription": "5f21556e6cecfd64b1cff30e22ef313d2f09698cebb03f711cbac8ec7f2c1d04",
+ "choose_subscription": "26f37a6e1c52cf70a0900dbbbb99f9ee905698ea11b722798093e22166798755",
"create_category": "6b22b5ce51abf4e225e23a79f81be09a7fb90acb265e93a8faf9446dff74018d",
"create_user": "9b73a55233615e461d1f07d99ad1d4d3b54532588ab960097ba3e090c85aaf3a",
"edit_category": "b1c0b38f1b714c5d884edcd61e5b5295a5f1c8b71c469b35391e4dcc97cc6d36",
"edit_feed": "34aa0d668b3ea1a1b5fa480c20cebeae729b37010af3bb915d2a9eed73d3b996",
"edit_user": "c692db9de1a084c57b93e95a14b041d39bf489846cbb91fc982a62b72b77062a",
- "entry": "fc21489367156b0cd71888e6485f47f3146c73f2a28d1ce8d147771b99478038",
+ "entry": "4258936829a5baf9d5b95d3884add13034105a931ee844ee4c4d3a6f1928f61a",
"feed_entries": "9c70b82f55e4b311eff20be1641733612e3c1b406ce8010861e4c417d97b6dcc",
"feeds": "fa06cd1e1e3fec79132386972c640a2fe91237f5dba572389d5f45be74545f25",
"history_entries": "87e17d39de70eb3fdbc4000326283be610928758eae7924e4b08dcb446f3b6a9",