yakumo.izuru/yukari
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[fix] attribute escaping - better solution in the future: https://github.com/golang/go/issues/17667

Browse Source 
git-svn-id: file:///srv/svn/repo/yukari/trunk@21 f3bd38d9-da89-464d-a02a-eb04e43141b5
This commit is contained in:
asciimoo 2016-10-30 12:24:56 +00:00
parent a8f59090a4
commit 98adc74c0d
1 changed files with 13 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
morty.go
View File

@ -28,6 +28,7 @@ const (
) )
var CLIENT *fasthttp.Client = &fasthttp.Client{ var CLIENT *fasthttp.Client = &fasthttp.Client{
Dial: fasthttp.DialDualStack,
MaxResponseBodySize: 10 * 1024 * 1024, // 10M MaxResponseBodySize: 10 * 1024 * 1024, // 10M
} }
@ -342,7 +343,11 @@ func sanitizeHTML(rc *RequestConfig, out io.Writer, htmlDoc []byte) {
if hasAttrs { if hasAttrs {
for { for {
attrName, attrValue, moreAttr := decoder.TagAttr() attrName, attrValue, moreAttr := decoder.TagAttr()
attrs = append(attrs, [][]byte{attrName, attrValue}) attrs = append(attrs, [][]byte{
attrName,
attrValue,
[]byte(html.EscapeString(string(attrValue))),
})
if !moreAttr { if !moreAttr {
break break
} }
@ -463,7 +468,7 @@ func sanitizeLinkTag(rc *RequestConfig, out io.Writer, attrs [][][]byte) {
if !exclude { if !exclude {
out.Write([]byte("<link")) out.Write([]byte("<link"))
for _, attr := range attrs { for _, attr := range attrs {
sanitizeAttr(rc, out, attr[0], attr[1]) sanitizeAttr(rc, out, attr[0], attr[1], attr[2])
} }
out.Write([]byte(">")) out.Write([]byte(">"))
} }
@ -498,13 +503,13 @@ func sanitizeMetaAttrs(rc *RequestConfig, out io.Writer, attrs [][][]byte) {
func sanitizeAttrs(rc *RequestConfig, out io.Writer, attrs [][][]byte) { func sanitizeAttrs(rc *RequestConfig, out io.Writer, attrs [][][]byte) {
for _, attr := range attrs { for _, attr := range attrs {
sanitizeAttr(rc, out, attr[0], attr[1]) sanitizeAttr(rc, out, attr[0], attr[1], attr[2])
} }
} }
func sanitizeAttr(rc *RequestConfig, out io.Writer, attrName, attrValue []byte) { func sanitizeAttr(rc *RequestConfig, out io.Writer, attrName, attrValue, escapedAttrValue []byte) {
if inArray(attrName, SAFE_ATTRIBUTES) { if inArray(attrName, SAFE_ATTRIBUTES) {
fmt.Fprintf(out, " %s=\"%s\"", attrName, attrValue) fmt.Fprintf(out, " %s=\"%s\"", attrName, escapedAttrValue)
return return
} }
switch string(attrName) { switch string(attrName) {
@ -515,9 +520,9 @@ func sanitizeAttr(rc *RequestConfig, out io.Writer, attrName, attrValue []byte)
log.Println("cannot proxify uri:", attrValue) log.Println("cannot proxify uri:", attrValue)
} }
case "style": case "style":
fmt.Fprintf(out, " %s=\"", attrName) cssAttr := bytes.NewBuffer(nil)
sanitizeCSS(rc, out, attrValue) sanitizeCSS(rc, cssAttr, attrValue)
out.Write([]byte("\"")) fmt.Fprintf(out, " %s=\"%s\"", attrName, html.EscapeString(string(cssAttr.Bytes())))
} }
} }