shaytan/drip
1
0
Fork 0
mirror of https://github.com/Gouryella/drip.git synced 2026-02-23 21:00:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(proxy): Implement HTML escaping in login pages to prevent XSS attacks

Browse Source
This commit is contained in:
Gouryella
2026-01-13 11:03:20 +08:00
parent f75bd9f0d2
commit 029044a9ba
1 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
internal/server/proxy/handler.go
View File

@@ -7,6 +7,7 @@ import (
"crypto/sha256"
"encoding/hex"
"fmt"
"html"
"io"
"net"
"net/http"
@@ -760,10 +761,12 @@ func (h *Handler) serveLoginPage(w http.ResponseWriter, r *http.Request, subdoma
errorHTML := ""
if errorMsg != "" {
errorHTML = fmt.Sprintf(`<p class="error">%s</p>`, errorMsg)
errorHTML = fmt.Sprintf(`<p class="error">%s</p>`, html.EscapeString(errorMsg))
}
html := fmt.Sprintf(`<!DOCTYPE html>
safeRedirectURL := html.EscapeString(redirectURL)
htmlContent := fmt.Sprintf(`<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
@@ -839,10 +842,10 @@ func (h *Handler) serveLoginPage(w http.ResponseWriter, r *http.Request, subdoma
</footer>
</div>
</body>
</html>`, subdomain, subdomain, errorHTML, redirectURL)
</html>`, subdomain, subdomain, errorHTML, safeRedirectURL)
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate")
w.WriteHeader(http.StatusUnauthorized)
w.Write([]byte(html))
w.Write([]byte(htmlContent))
}