|
5 | 5 | package local |
6 | 6 |
|
7 | 7 | import ( |
| 8 | + "bytes" |
8 | 9 | "context" |
9 | 10 | "fmt" |
10 | | - "html/template" // must be html/template, and not text/template to have injection protection |
| 11 | + "html" |
11 | 12 | "net" |
12 | 13 | "net/http" |
13 | 14 | "strconv" |
@@ -42,13 +43,14 @@ var failPage = []byte(` |
42 | 43 | </html> |
43 | 44 | `) |
44 | 45 |
|
45 | | -// code is the html template variable name, |
46 | | -// which matches the Result Code variable |
47 | | -const code string = "Code" |
48 | | - |
49 | | -// err is the html template variable name |
50 | | -// which matches the Result Err variable |
51 | | -const err string = "Err" |
| 46 | +var ( |
| 47 | + // code is the html template variable name, |
| 48 | + // which matches the Result Code variable |
| 49 | + code = []byte("{{.Code}}") |
| 50 | + // err is the html template variable name |
| 51 | + // which matches the Result Err variable |
| 52 | + err = []byte("{{.Err}}") |
| 53 | +) |
52 | 54 |
|
53 | 55 | // Result is the result from the redirect. |
54 | 56 | type Result struct { |
@@ -164,17 +166,21 @@ func (s *Server) handler(w http.ResponseWriter, r *http.Request) { |
164 | 166 | if headerErr != "" { |
165 | 167 | // Note: It is a little weird we handle some errors by not going to the failPage. If they all should, |
166 | 168 | // change this to s.error() and make s.error() write the failPage instead of an error code. |
167 | | - failPageTemplate, err := template.New("failPage").Parse(string(s.errorPage)) // html template will be injection safe |
168 | | - if err != nil { |
169 | | - s.error(w, http.StatusInternalServerError, "error parsing template") |
| 169 | + |
| 170 | + errDesc := q.Get("error_description") |
| 171 | + errorDesc := fmt.Errorf(errDesc) |
| 172 | + |
| 173 | + if bytes.Contains(s.errorPage, code) { |
| 174 | + s.errorPage = bytes.Replace(s.errorPage, code, []byte(html.EscapeString(headerErr)), 1) // provides XSS protection |
170 | 175 | } |
171 | 176 |
|
172 | | - errDesc := fmt.Errorf(q.Get("error_description")) |
173 | | - err = failPageTemplate.Execute(w, Result{Code: headerErr, Err: errDesc}) // escapes html entities |
174 | | - if err != nil { |
175 | | - s.error(w, http.StatusInternalServerError, "error rendering page") |
| 177 | + if bytes.Contains(s.errorPage, err) { |
| 178 | + s.errorPage = bytes.Replace(s.errorPage, err, []byte(html.EscapeString(errDesc)), 1) // provides XSS protection |
176 | 179 | } |
177 | | - s.putResult(Result{Err: errDesc}) |
| 180 | + |
| 181 | + _, _ = w.Write(s.errorPage) |
| 182 | + |
| 183 | + s.putResult(Result{Err: errorDesc}) |
178 | 184 | return |
179 | 185 | } |
180 | 186 |
|
|
0 commit comments