diff options
author | Peter De Wachter <pdewacht@gmail.com> | 2019-08-14 09:33:54 +0200 |
---|---|---|
committer | Frédéric Guillot <fred@miniflux.net> | 2019-08-15 21:39:41 -0700 |
commit | ea2b6e3608624a2a14af1956a3ad0035b7fb09f0 (patch) | |
tree | 693bda6a0522c069ec6cff94db9c9a9eabc82d42 /reader/rewrite/rewrite_functions.go | |
parent | 3a39d110f0f2a3e976df1e810a861c602a634d14 (diff) |
addImageTitle: Fix HTML injection
This rewrite rule would change this:
<img title="<foo>">
to this:
<figure><img><figcaption><foo></figcaption></figure>
The image title needs to be properly escaped.
Diffstat (limited to 'reader/rewrite/rewrite_functions.go')
-rw-r--r-- | reader/rewrite/rewrite_functions.go | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/reader/rewrite/rewrite_functions.go b/reader/rewrite/rewrite_functions.go index 6ce9693..667f359 100644 --- a/reader/rewrite/rewrite_functions.go +++ b/reader/rewrite/rewrite_functions.go @@ -6,6 +6,7 @@ package rewrite // import "miniflux.app/reader/rewrite" import ( "fmt" + "html" "regexp" "strings" @@ -32,7 +33,7 @@ func addImageTitle(entryURL, entryContent string) string { srcAttr, _ := img.Attr("src") titleAttr, _ := img.Attr("title") - img.ReplaceWithHtml(`<figure><img src="` + srcAttr + `" alt="` + altAttr + `"/><figcaption><p>` + titleAttr + `</p></figcaption></figure>`) + img.ReplaceWithHtml(`<figure><img src="` + srcAttr + `" alt="` + altAttr + `"/><figcaption><p>` + html.EscapeString(titleAttr) + `</p></figcaption></figure>`) }) output, _ := doc.Find("body").First().Html() |