Browse Source

escape title and login, to prevent XSS

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
pull/197/head
Michael Telatynski 7 years ago
parent
commit
c9eb00221e
No known key found for this signature in database GPG Key ID: 3F879DA5AD802A5E
  1. 4
      src/github.com/matrix-org/go-neb/services/github/github.go

4
src/github.com/matrix-org/go-neb/services/github/github.go

@ -20,6 +20,7 @@ import (
"github.com/matrix-org/go-neb/services/github/client" "github.com/matrix-org/go-neb/services/github/client"
"github.com/matrix-org/go-neb/types" "github.com/matrix-org/go-neb/types"
"github.com/matrix-org/gomatrix" "github.com/matrix-org/gomatrix"
"html"
) )
// ServiceType of the Github service // ServiceType of the Github service
@ -118,7 +119,8 @@ func (s *Service) cmdGithubSearch(roomID, userID string, args []string) (interfa
if issue.HTMLURL == nil || issue.User.Login == nil || issue.Title == nil { if issue.HTMLURL == nil || issue.User.Login == nil || issue.Title == nil {
continue continue
} }
htmlBuffer.WriteString(fmt.Sprintf(`<li><a href="%s" rel="noopener">%s: %s</a></li>`, *issue.HTMLURL, *issue.User.Login, *issue.Title))
escapedTitle, escapedUserLogin := html.EscapeString(*issue.Title), html.EscapeString(*issue.User.Login)
htmlBuffer.WriteString(fmt.Sprintf(`<li><a href="%s" rel="noopener">%s: %s</a></li>`, *issue.HTMLURL, escapedUserLogin, escapedTitle))
plainBuffer.WriteString(fmt.Sprintf("%d. %s\n", i+1, *issue.HTMLURL)) plainBuffer.WriteString(fmt.Sprintf("%d. %s\n", i+1, *issue.HTMLURL))
} }
htmlBuffer.WriteString("</ol>") htmlBuffer.WriteString("</ol>")

Loading…
Cancel
Save