@@ -32,13 +32,20 @@ func MessagePage(title, body, theme string) string {
3232 return fmt .Sprintf ("<!doctype html><html><head><title>%s</title>%s</head><body><h1>%s</h1>%s" , title , StyleHead (theme ), title , body )
3333}
3434
35+ var policy = bluemonday .UGCPolicy ()
36+
3537// StyleHead returns contents that goes in "<head>", as bytes.
3638// This is either CSS wrapped in a "<style>" tag, or "<link>" tags to CSS and JS.
3739func StyleHead (theme string ) []byte {
40+
41+ // Sanitize the theme name
42+ theme = policy .Sanitize (theme )
43+
3844 var buf bytes.Buffer
3945 if theme == "material" {
4046 buf .WriteString (MaterialHead ())
4147 }
48+
4249 if strings .HasSuffix (theme , ".css" ) {
4350 buf .WriteString ("<style>html { margin: 3em; }</style>" )
4451 buf .WriteString ("<link rel=\" stylesheet\" href=\" " + theme + "\" >" )
@@ -53,6 +60,11 @@ func StyleHead(theme string) []byte {
5360// MessagePageBytes provides the same functionalityt as MessagePage,
5461// but with []byte instead of string, and without closing </body></html>
5562func MessagePageBytes (title string , body []byte , theme string ) []byte {
63+
64+ // Sanitize the theme and title
65+ theme = policy .Sanitize (theme )
66+ title = policy .Sanitize (title )
67+
5668 var buf bytes.Buffer
5769 buf .WriteString ("<!doctype html><html><head><title>" )
5870 buf .WriteString (title )
@@ -67,24 +79,30 @@ func MessagePageBytes(title string, body []byte, theme string) []byte {
6779
6880// SimpleHTMLPage provides a quick way to build a HTML page
6981func SimpleHTMLPage (title , headline , inhead , body , language []byte ) []byte {
82+
83+ // Sanitize the title, headline and language
84+ titleString := policy .Sanitize (string (title ))
85+ headlineString := policy .Sanitize (string (headline ))
86+ languageString := policy .Sanitize (string (language ))
87+
7088 var buf bytes.Buffer
71- if len (language ) > 0 {
89+ if len (languageString ) > 0 {
7290 buf .WriteString ("<!doctype html><html lang=\" " )
73- buf .Write ( language )
91+ buf .WriteString ( languageString )
7492 buf .WriteString ("\" >" )
7593 } else {
7694 buf .WriteString ("<!doctype html><html>" )
7795 }
78- if len (title ) > 0 {
96+ if len (titleString ) > 0 {
7997 buf .WriteString ("<head><title>" )
80- buf .Write ( title )
98+ buf .WriteString ( titleString )
8199 buf .WriteString ("</title></head>" )
82100 }
83101 buf .Write (inhead )
84102 buf .WriteString ("<body>" )
85- if len (headline ) > 0 {
103+ if len (headlineString ) > 0 {
86104 buf .WriteString ("<h1>" )
87- buf .Write ( headline )
105+ buf .WriteString ( headlineString )
88106 buf .WriteString ("</h1>" )
89107 }
90108 buf .Write (body )
@@ -94,6 +112,11 @@ func SimpleHTMLPage(title, headline, inhead, body, language []byte) []byte {
94112// HTMLLink builds an HTML link given the link text, the URL to a file/directory
95113// and a boolean that is true if the given URL is to a directory.
96114func HTMLLink (text , url string , isDirectory bool ) string {
115+
116+ // Sanitize the link text and the link URL
117+ text = policy .Sanitize (text )
118+ url = policy .Sanitize (url )
119+
97120 // Add a final slash, if needed
98121 if isDirectory {
99122 text += "/"
@@ -104,6 +127,10 @@ func HTMLLink(text, url string, isDirectory bool) string {
104127
105128// StyleAmber modifies Amber source code so that a link to the given stylesheet URL is added
106129func StyleAmber (amberdata []byte , url string ) []byte {
130+
131+ // Sanitize the URL
132+ url = policy .Sanitize (url )
133+
107134 // If the given url is not already mentioned and the data contains "body"
108135 if ! bytes .Contains (amberdata , []byte (url )) && bytes .Contains (amberdata , []byte ("html" )) && bytes .Contains (amberdata , []byte ("body" )) {
109136 // Extract one level of indendation
@@ -122,6 +149,10 @@ func StyleAmber(amberdata []byte, url string) []byte {
122149
123150// StyleHTML modifies HTML source code so that a link to the given stylesheet URL is added
124151func StyleHTML (htmldata []byte , url string ) []byte {
152+
153+ // Sanitize the URL
154+ url = policy .Sanitize (url )
155+
125156 // If the given url is not already mentioned and the data contains "body"
126157 if ! bytes .Contains (htmldata , []byte (url )) && bytes .Contains (htmldata , []byte ("body" )) {
127158 if bytes .Contains (htmldata , []byte ("</head>" )) {
@@ -152,9 +183,11 @@ func InsertDoctype(htmldata []byte) []byte {
152183
153184// NoPage generates a HTML page for when a file is not found
154185func NoPage (filename , theme string ) []byte {
155- // Sanitize the filename
156- policy := bluemonday .UGCPolicy ()
157- sanitizedFilename := policy .Sanitize (filename )
186+
187+ // Sanitize the filename and the theme name
188+ filename = policy .Sanitize (filename )
189+ theme = policy .Sanitize (theme )
190+
158191 // Return a HTML page
159- return MessagePageBytes ("Not found" , []byte ("File not found: " + sanitizedFilename ), theme )
192+ return MessagePageBytes ("Not found" , []byte ("File not found: " + filename ), theme )
160193}
0 commit comments