lbsadmin/Beego
1
0
Fork 0
mirror of https://github.com/astaxie/beego.git synced 2025-06-11 05:20:40 +00:00
Code Issues Releases Activity

Using HTMLEscapeString in adminui.go to avoid XSS attack

Browse Source
This commit is contained in:
Ming Deng
2020-06-19 21:39:56 +08:00
parent 86935ada01
commit 6c0db4db3d
3 changed files with 33 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
context/input.go
View File

@ -284,7 +284,12 @@ func (input *BeegoInput) ParamsLen() int {
func (input *BeegoInput) Param(key string) string {
for i, v := range input.pnames {
if v == key && i <= len(input.pvalues) {
return url.PathEscape(input.pvalues[i])
// we cannot use url.PathEscape(input.pvalues[i])
// for example, if the value is /a/b
// after url.PathEscape(input.pvalues[i]), the value is %2Fa%2Fb
// However, the value is used in ControllerRegister.ServeHTTP
// and split by "/", so function crash...
return input.pvalues[i]
}
}
return ""