We use cookies to ensure you get the best experience on our website
Home Explore Help
Sign In
mirror
/
golang-fave
mirror of https://github.com/vladimirok5959/golang-fave.git
2
0
Fork 0
Files Wiki
Browse Source

Safe html

Vova Tkach 6 years ago
parent
dc7e3cf2e1
commit
aad204d989
2 changed files with 9 additions and 6 deletions
Unified View Show Diff Stats
  1. 3 1
      engine/backend/modules/module_users.go
  2. 6 5
      engine/backend/modules/modules.go

+ 3 - 1
engine/backend/modules/module_users.go
View File 

@@ -1,6 +1,8 @@
 
 package modules
 
 package modules
 
 
 
 import (
 
 import (
 
+	"html"
 
+
 
 	others "golang-fave/engine/wrapper/resources/others"
 
 	others "golang-fave/engine/wrapper/resources/others"
 
 	utils "golang-fave/engine/wrapper/utils"
 
 	utils "golang-fave/engine/wrapper/utils"
 
 )
 
 )
 
@@ -53,7 +55,7 @@ func (this *Module) Module_users_content() string {
 
 			{"id", "", nil},
 
 			{"id", "", nil},
 
 			{"email", "Email", func(values *[]string) string {
 
 			{"email", "Email", func(values *[]string) string {
 
 				return `<a href="/cp/users/modify/` + (*values)[0] + `/">` +
 
 				return `<a href="/cp/users/modify/` + (*values)[0] + `/">` +
 
-					(*values)[1] + `</a>`
 
+					html.EscapeString((*values)[1]) + `</a>`
 
 			}},
 
 			}},
 
 			{"first_name", "First name", nil},
 
 			{"first_name", "First name", nil},
 
 			{"last_name", "Last name", nil},
 
 			{"last_name", "Last name", nil},

+ 6 - 5
engine/backend/modules/modules.go
View File 

@@ -5,6 +5,7 @@ import (
 
 	_ "github.com/go-sql-driver/mysql"
 
 	_ "github.com/go-sql-driver/mysql"
 
 
 
 	"fmt"
 
 	"fmt"
 
+	"html"
 
 	"math"
 
 	"math"
 
 	"reflect"
 
 	"reflect"
 
 	"sort"
 
 	"sort"
 
@@ -135,12 +136,12 @@ func (this *Module) breadcrumb(data []dataBreadcrumb) string {
 
 	result := ``
 
 	result := ``
 
 	result += `<nav aria-label="breadcrumb">`
 
 	result += `<nav aria-label="breadcrumb">`
 
 	result += `<ol class="breadcrumb">`
 
 	result += `<ol class="breadcrumb">`
 
-	result += `<li class="breadcrumb-item"><a href="/cp/` + this.mmod + `/">` + this.module_get_name(this.mmod) + `</a></li>`
 
+	result += `<li class="breadcrumb-item"><a href="/cp/` + this.mmod + `/">` + html.EscapeString(this.module_get_name(this.mmod)) + `</a></li>`
 
 	for _, item := range data {
 
 	for _, item := range data {
 
 		if item.link == "" {
 
 		if item.link == "" {
 
-			result += `<li class="breadcrumb-item active" aria-current="page">` + item.name + `</li>`
 
+			result += `<li class="breadcrumb-item active" aria-current="page">` + html.EscapeString(item.name) + `</li>`
 
 		} else {
 
 		} else {
 
-			result += `<li class="breadcrumb-item"><a href="` + item.link + `">` + item.name + `</a></li>`
 
+			result += `<li class="breadcrumb-item"><a href="` + item.link + `">` + html.EscapeString(item.name) + `</a></li>`
 
 		}
 
 		}
 
 	}
 
 	}
 
 	result += `</ol>`
 
 	result += `</ol>`
 
@@ -179,7 +180,7 @@ func (this *Module) data_table(table string, order_by string, order_way string,
 
 	sql := "SELECT"
 
 	sql := "SELECT"
 
 	for i, column := range data {
 
 	for i, column := range data {
 
 		if column.nameInTable != "" {
 
 		if column.nameInTable != "" {
 
-			result += `<th scope="col" class="col_` + column.dbField + `">` + column.nameInTable + `</th>`
 
+			result += `<th scope="col" class="col_` + column.dbField + `">` + html.EscapeString(column.nameInTable) + `</th>`
 
 		}
 
 		}
 
 		sql += " `" + column.dbField + "`"
 
 		sql += " `" + column.dbField + "`"
 
 		if i+1 < len(data) {
 
 		if i+1 < len(data) {
 
@@ -207,7 +208,7 @@ func (this *Module) data_table(table string, order_by string, order_way string,
 
 				for i, val := range values {
 
 				for i, val := range values {
 
 					if data[i].nameInTable != "" {
 
 					if data[i].nameInTable != "" {
 
 						if data[i].display == nil {
 
 						if data[i].display == nil {
 
-							result += `<td class="col_` + data[i].dbField + `">` + string(val) + `</td>`
 
+							result += `<td class="col_` + data[i].dbField + `">` + html.EscapeString(string(val)) + `</td>`
 
 						} else {
 
 						} else {
 
 							result += `<td class="col_` + data[i].dbField + `">` + data[i].display(&values) + `</td>`
 
 							result += `<td class="col_` + data[i].dbField + `">` + data[i].display(&values) + `</td>`
 
 						}
 
 						}