From a8700abe29bd1eeefcec8f357c61da496f84e630 Mon Sep 17 00:00:00 2001 From: Trevor Slocum Date: Tue, 24 Nov 2020 18:34:14 -0800 Subject: [PATCH] Escape page content --- pkg/gmitohtml/convert.go | 20 +++++++++++++------- pkg/gmitohtml/daemon.go | 2 +- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/pkg/gmitohtml/convert.go b/pkg/gmitohtml/convert.go index 819678d..caa730a 100644 --- a/pkg/gmitohtml/convert.go +++ b/pkg/gmitohtml/convert.go @@ -5,6 +5,7 @@ import ( "bytes" "errors" "fmt" + "html" "net/url" "path" "strings" @@ -20,6 +21,11 @@ var assetLock sync.Mutex func rewriteURL(u string, loc *url.URL) string { if daemonAddress != "" { + scheme := "gemini" + if strings.HasPrefix(loc.Path, "/file/") { + scheme = "file" + } + if strings.HasPrefix(u, "gemini://") { return "http://" + daemonAddress + "/gemini/" + u[9:] } else if strings.HasPrefix(u, "file://") { @@ -34,9 +40,9 @@ func rewriteURL(u string, loc *url.URL) string { if u[0] != '/' { newPath = path.Join(loc.Path, u) } - return "http://" + daemonAddress + "/gemini/" + loc.Host + newPath + return "http://" + daemonAddress + "/" + scheme + "/" + loc.Host + newPath } - return "http://" + daemonAddress + "/gemini/" + u + return "http://" + daemonAddress + "/" + scheme + "/" + u } return u } @@ -68,7 +74,7 @@ func Convert(page []byte, u string) []byte { } if preformatted { - result = append(result, line...) + result = append(result, html.EscapeString(string(line))...) result = append(result, []byte("\n")...) continue } @@ -89,9 +95,9 @@ func Convert(page []byte, u string) []byte { linkURL = split[0] linkLabel = split[1] } - link := append([]byte(``)...) - link = append(link, linkLabel...) + link = append(link, html.EscapeString(string(linkLabel))...) link = append(link, []byte(``)...) result = append(result, link...) result = append(result, []byte("
")...) @@ -107,11 +113,11 @@ func Convert(page []byte, u string) []byte { } } if heading > 0 { - result = append(result, []byte(fmt.Sprintf("%s", heading, line[heading:], heading))...) + result = append(result, []byte(fmt.Sprintf("%s", heading, html.EscapeString(string(line[heading:])), heading))...) continue } - result = append(result, line...) + result = append(result, html.EscapeString(string(line))...) result = append(result, []byte("
")...) } diff --git a/pkg/gmitohtml/daemon.go b/pkg/gmitohtml/daemon.go index ef2b665..61ccacd 100644 --- a/pkg/gmitohtml/daemon.go +++ b/pkg/gmitohtml/daemon.go @@ -117,7 +117,7 @@ func fetch(u string) ([]byte, []byte, error) { errorPage := []byte(pageHeader) errorPage = append(errorPage, []byte(fmt.Sprintf("Server sent unexpected header:

%s", header))...) errorPage = append(errorPage, []byte(pageFooter)...) - return header, errorPage, nil + return header, fillTemplateVariables(errorPage, u, false), nil } if bytes.HasPrefix(header, []byte("20 text/html")) {