go/kratos
1
0
Fork 0
mirror of https://github.com/go-kratos/kratos.git synced 2025-01-24 03:46:37 +02:00
Code Issues Releases Activity

fix http response XSS (#26)

Browse Source
This commit is contained in:
Felix Hao 2019-04-24 09:38:57 +08:00 committed by GitHub
parent e39351d0d1
commit d23ca7df4f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/net/http/blademaster/context.go
View File

@ -5,6 +5,7 @@ import (
"math" "math"
"net/http" "net/http"
"strconv" "strconv"
"text/template"
"github.com/bilibili/kratos/pkg/ecode" "github.com/bilibili/kratos/pkg/ecode"
"github.com/bilibili/kratos/pkg/net/http/blademaster/binding" "github.com/bilibili/kratos/pkg/net/http/blademaster/binding"
@ -144,9 +145,8 @@ func (c *Context) Render(code int, r render.Render) {
} }
params := c.Request.Form params := c.Request.Form
cb := template.JSEscapeString(params.Get("callback"))
cb := params.Get("callback") jsonp := cb != ""
jsonp := cb != "" && params.Get("jsonp") == "jsonp"
if jsonp { if jsonp {
c.Writer.Write([]byte(cb)) c.Writer.Write([]byte(cb))
c.Writer.Write(_openParen) c.Writer.Write(_openParen)