domi/forgejo-domi
1
0
Fork 0
forked from forgejo/forgejo
Code Pull requests Activity

Fixes xss, clickjacking & password autocompletion

Browse source
This commit is contained in:
Bwko 2016-11-29 22:49:06 +01:00
parent ccad2cce32
commit 1e9730a779
5 changed files with 13 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

7
modules/context/context.go
View file

@ -6,6 +6,7 @@ package context
import (
"fmt"
"html"
"html/template"
"io"
"net/http"
@ -186,8 +187,10 @@ func Contexter() macaron.Handler {
}
}
ctx.Data["CsrfToken"] = x.GetToken()
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
ctx.Data["CsrfToken"] = html.EscapeString(x.GetToken())
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)
log.Debug("Session ID: %s", sess.ID())
log.Debug("CSRF Token: %v", ctx.Data["CsrfToken"])