Merge pull request #306 from Bwko/Security
Fixes xss, clickjacking & password autocompletion
This commit is contained in:
commit
6dc6926abe
5 changed files with 13 additions and 10 deletions
|
@ -6,6 +6,7 @@ package context
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"html"
|
||||||
"html/template"
|
"html/template"
|
||||||
"io"
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
@ -186,8 +187,10 @@ func Contexter() macaron.Handler {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx.Data["CsrfToken"] = x.GetToken()
|
ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
|
||||||
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
|
|
||||||
|
ctx.Data["CsrfToken"] = html.EscapeString(x.GetToken())
|
||||||
|
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)
|
||||||
log.Debug("Session ID: %s", sess.ID())
|
log.Debug("Session ID: %s", sess.ID())
|
||||||
log.Debug("CSRF Token: %v", ctx.Data["CsrfToken"])
|
log.Debug("CSRF Token: %v", ctx.Data["CsrfToken"])
|
||||||
|
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
{{if .IsResetForm}}
|
{{if .IsResetForm}}
|
||||||
<div class="required inline field {{if .Err_Password}}error{{end}}">
|
<div class="required inline field {{if .Err_Password}}error{{end}}">
|
||||||
<label for="password">{{.i18n.Tr "password"}}</label>
|
<label for="password">{{.i18n.Tr "password"}}</label>
|
||||||
<input id="password" name="password" type="password" value="{{.password}}" autofocus required>
|
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" autofocus required>
|
||||||
</div>
|
</div>
|
||||||
<div class="ui divider"></div>
|
<div class="ui divider"></div>
|
||||||
<div class="inline field">
|
<div class="inline field">
|
||||||
|
|
|
@ -15,7 +15,7 @@
|
||||||
</div>
|
</div>
|
||||||
<div class="required inline field {{if .Err_Password}}error{{end}}">
|
<div class="required inline field {{if .Err_Password}}error{{end}}">
|
||||||
<label for="password">{{.i18n.Tr "password"}}</label>
|
<label for="password">{{.i18n.Tr "password"}}</label>
|
||||||
<input id="password" name="password" type="password" value="{{.password}}" required>
|
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" required>
|
||||||
</div>
|
</div>
|
||||||
<div class="inline field">
|
<div class="inline field">
|
||||||
<label></label>
|
<label></label>
|
||||||
|
|
|
@ -22,11 +22,11 @@
|
||||||
</div>
|
</div>
|
||||||
<div class="required inline field {{if .Err_Password}}error{{end}}">
|
<div class="required inline field {{if .Err_Password}}error{{end}}">
|
||||||
<label for="password">{{.i18n.Tr "password"}}</label>
|
<label for="password">{{.i18n.Tr "password"}}</label>
|
||||||
<input id="password" name="password" type="password" value="{{.password}}" required>
|
<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" required>
|
||||||
</div>
|
</div>
|
||||||
<div class="required inline field {{if .Err_Password}}error{{end}}">
|
<div class="required inline field {{if .Err_Password}}error{{end}}">
|
||||||
<label for="retype">{{.i18n.Tr "re_type"}}</label>
|
<label for="retype">{{.i18n.Tr "re_type"}}</label>
|
||||||
<input id="retype" name="retype" type="password" value="{{.retype}}" required>
|
<input id="retype" name="retype" type="password" value="{{.retype}}" autocomplete="off" required>
|
||||||
</div>
|
</div>
|
||||||
{{if .EnableCaptcha}}
|
{{if .EnableCaptcha}}
|
||||||
<div class="inline field">
|
<div class="inline field">
|
||||||
|
|
|
@ -14,15 +14,15 @@
|
||||||
{{.CsrfTokenHtml}}
|
{{.CsrfTokenHtml}}
|
||||||
<div class="required field {{if .Err_OldPassword}}error{{end}}">
|
<div class="required field {{if .Err_OldPassword}}error{{end}}">
|
||||||
<label for="old_password">{{.i18n.Tr "settings.old_password"}}</label>
|
<label for="old_password">{{.i18n.Tr "settings.old_password"}}</label>
|
||||||
<input id="old_password" name="old_password" type="password" autofocus required>
|
<input id="old_password" name="old_password" type="password" autocomplete="off" autofocus required>
|
||||||
</div>
|
</div>
|
||||||
<div class="required field {{if .Err_Password}}error{{end}}">
|
<div class="required field {{if .Err_Password}}error{{end}}">
|
||||||
<label for="password">{{.i18n.Tr "settings.new_password"}}</label>
|
<label for="password">{{.i18n.Tr "settings.new_password"}}</label>
|
||||||
<input id="password" name="password" type="password" required>
|
<input id="password" name="password" type="password" autocomplete="off" required>
|
||||||
</div>
|
</div>
|
||||||
<div class="required field {{if .Err_Password}}error{{end}}">
|
<div class="required field {{if .Err_Password}}error{{end}}">
|
||||||
<label for="retype">{{.i18n.Tr "settings.retype_new_password"}}</label>
|
<label for="retype">{{.i18n.Tr "settings.retype_new_password"}}</label>
|
||||||
<input id="retype" name="retype" type="password" required>
|
<input id="retype" name="retype" type="password" autocomplete="off" required>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="field">
|
<div class="field">
|
||||||
|
@ -33,7 +33,7 @@
|
||||||
<div class="ui info message">
|
<div class="ui info message">
|
||||||
<p class="text left">{{$.i18n.Tr "settings.password_change_disabled"}}</p>
|
<p class="text left">{{$.i18n.Tr "settings.password_change_disabled"}}</p>
|
||||||
</div>
|
</div>
|
||||||
{{end}}
|
{{end}}
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
Loading…
Reference in a new issue