public/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2025-10-31 21:28:11 +09:00
Code Issues Packages Projects Releases Wiki Activity

Fixes xss, clickjacking & password autocompletion

Browse Source
This commit is contained in:
Bwko
2016-11-29 22:49:06 +01:00
parent ccad2cce32
commit 1e9730a779
5 changed files with 13 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
modules/context/context.go
View File

@@ -6,6 +6,7 @@ package context
import (
"fmt"
"html"
"html/template"
"io"
"net/http"
@@ -186,8 +187,10 @@ func Contexter() macaron.Handler {
}
}
ctx.Data["CsrfToken"] = x.GetToken()
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
ctx.Data["CsrfToken"] = html.EscapeString(x.GetToken())
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)
log.Debug("Session ID: %s", sess.ID())
log.Debug("CSRF Token: %v", ctx.Data["CsrfToken"])