diff options
author | Matthew Holt <[email protected]> | 2017-01-23 22:37:46 -0700 |
---|---|---|
committer | Matthew Holt <[email protected]> | 2017-01-23 22:37:46 -0700 |
commit | 62fea30e878b571136fd9a02dd11edee69f6e2a6 (patch) | |
tree | 54fc54ae9a98ae757487c6bfd34d311f6d4ae121 | |
parent | bbee961415ea829e632257f8e88fbbd0c8008f8e (diff) | |
download | caddy-62fea30e878b571136fd9a02dd11edee69f6e2a6.tar.gz caddy-62fea30e878b571136fd9a02dd11edee69f6e2a6.zip |
browse: Sanitize file names and links in default template
Thanks to Kevin Froman (@beardog108) for the responsible heads up.
-rw-r--r-- | caddyhttp/browse/setup.go | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/caddyhttp/browse/setup.go b/caddyhttp/browse/setup.go index 19b07bd59..33b34066e 100644 --- a/caddyhttp/browse/setup.go +++ b/caddyhttp/browse/setup.go @@ -101,7 +101,7 @@ func browseParse(c *caddy.Controller) ([]Config, error) { const defaultTemplate = `<!DOCTYPE html> <html> <head> - <title>{{.Name}}</title> + <title>{{html .Name}}</title> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style> @@ -323,7 +323,7 @@ footer { <header> <h1> - {{range $url, $name := .BreadcrumbMap}}<a href="{{$url}}">{{$name}}</a>{{if ne $url "/"}}/{{end}}{{end}} + {{range $url, $name := .BreadcrumbMap}}<a href="{{html $url}}">{{html $name}}</a>{{if ne $url "/"}}/{{end}}{{end}} </h1> </header> <main> @@ -385,13 +385,13 @@ footer { {{- range .Items}} <tr class="file"> <td> - <a href="{{.URL}}"> + <a href="{{html .URL}}"> {{- if .IsDir}} <svg width="1.5em" height="1em" version="1.1" viewBox="0 0 35.678803 28.527945"><use xlink:href="#folder"></use></svg> {{- else}} <svg width="1.5em" height="1em" version="1.1" viewBox="0 0 26.604381 29.144726"><use xlink:href="#file"></use></svg> {{- end}} - <span class="name">{{.Name}}</span> + <span class="name">{{html .Name}}</span> </a> </td> {{- if .IsDir}} @@ -407,7 +407,7 @@ footer { </div> </main> <footer> - Served with <a rel="noopener noreferrer" href="https://caddyserver.com">Caddy</a>. + Served with <a rel="noopener noreferrer" href="https://caddyserver.com">Caddy</a> </footer> <script> var filterEl = document.getElementById('filter'); |