%s
`, c.Value) + return fmt.Sprintf(`%s
`, html.EscapeString(c.Value)) } res.Header().Set("Content-Type", "text/html; charset=utf-8") res.WriteHeader(http.StatusOK) diff --git a/server/plugin/plg_authenticate_htpasswd/index.go b/server/plugin/plg_authenticate_htpasswd/index.go index 0e5bee4b..5c019ee6 100644 --- a/server/plugin/plg_authenticate_htpasswd/index.go +++ b/server/plugin/plg_authenticate_htpasswd/index.go @@ -5,15 +5,16 @@ import ( "crypto/subtle" "encoding/base64" "fmt" - . "github.com/mickael-kerjean/filestash/server/common" + "html" + "net/http" + "strings" + . "github.com/mickael-kerjean/filestash/server/common" "github.com/mickael-kerjean/filestash/server/plugin/plg_authenticate_htpasswd/deps/crypt" "github.com/mickael-kerjean/filestash/server/plugin/plg_authenticate_htpasswd/deps/crypt/apr1_crypt" "github.com/mickael-kerjean/filestash/server/plugin/plg_authenticate_htpasswd/deps/crypt/md5_crypt" "github.com/mickael-kerjean/filestash/server/plugin/plg_authenticate_htpasswd/deps/crypt/sha256_crypt" "github.com/mickael-kerjean/filestash/server/plugin/plg_authenticate_htpasswd/deps/crypt/sha512_crypt" - "net/http" - "strings" ) func init() { @@ -65,7 +66,7 @@ func (this Htpasswd) EntryPoint(idpParams map[string]string, req *http.Request, MaxAge: -1, Path: "/", }) - return fmt.Sprintf(`%s
`, c.Value) + return fmt.Sprintf(`%s
`, html.EscapeString(c.Value)) } res.Header().Set("Content-Type", "text/html; charset=utf-8") res.WriteHeader(http.StatusOK) diff --git a/server/plugin/plg_authenticate_local/auth.go b/server/plugin/plg_authenticate_local/auth.go index f4cca734..450c584f 100644 --- a/server/plugin/plg_authenticate_local/auth.go +++ b/server/plugin/plg_authenticate_local/auth.go @@ -5,6 +5,7 @@ import ( "encoding/base64" "encoding/json" "fmt" + "html" "image/png" "net/http" "text/template" @@ -93,7 +94,7 @@ func (this SimpleAuth) EntryPoint(idpParams map[string]string, req *http.Request MaxAge: -1, Path: "/", }) - return fmt.Sprintf(`%s
`, c.Value) + return fmt.Sprintf(`%s
`, html.EscapeString(c.Value)) } res.Header().Set("Content-Type", "text/html; charset=utf-8") res.WriteHeader(http.StatusOK) diff --git a/server/plugin/plg_authenticate_local/handler.go b/server/plugin/plg_authenticate_local/handler.go index a0399dda..23caa375 100644 --- a/server/plugin/plg_authenticate_local/handler.go +++ b/server/plugin/plg_authenticate_local/handler.go @@ -2,9 +2,9 @@ package plg_authenticate_local import ( _ "embed" + "html/template" "net/http" "net/url" - "text/template" . "github.com/mickael-kerjean/filestash/server/common" ) diff --git a/server/plugin/plg_authenticate_passthrough/index.go b/server/plugin/plg_authenticate_passthrough/index.go index 48d74f1c..f9b11e98 100644 --- a/server/plugin/plg_authenticate_passthrough/index.go +++ b/server/plugin/plg_authenticate_passthrough/index.go @@ -2,8 +2,10 @@ package plg_authenticate_passthrough import ( "fmt" - . "github.com/mickael-kerjean/filestash/server/common" + "html" "net/http" + + . "github.com/mickael-kerjean/filestash/server/common" ) func init() { @@ -36,32 +38,37 @@ func (this Admin) Setup() Form { func (this Admin) EntryPoint(idpParams map[string]string, req *http.Request, res http.ResponseWriter) error { res.Header().Set("Content-Type", "text/html; charset=utf-8") - getParams := "?label=" + req.URL.Query().Get("label") + "&state=" + req.URL.Query().Get("state") + getParams := "?label=" + html.EscapeString(req.URL.Query().Get("label")) + "&state=" + html.EscapeString(req.URL.Query().Get("state")) switch idpParams["strategy"] { case "direct": res.WriteHeader(http.StatusOK) - res.Write([]byte(Page(`