ISSUE-203

2019-05-11 14:42:59 +02:00
parent 5bbafa9ed7
commit cc401433a6
6745 changed files with 436 additions and 5109502 deletions
--- a/server/handlers.go
+++ b/server/handlers.go
@ -35,6 +35,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/russross/blackfriday"
 	"html"
 	html_template "html/template"
 	"io"
@ -55,12 +56,11 @@ import (

 	"net"

+	"encoding/base64"
 	web "github.com/dutchcoders/transfer.sh-web"
 	"github.com/gorilla/mux"
-	"github.com/russross/blackfriday"
-
-	"encoding/base64"
-	qrcode "github.com/skip2/go-qrcode"
+	"github.com/microcosm-cc/bluemonday"
+	"github.com/skip2/go-qrcode"
 )

 var (
@ -134,7 +134,8 @@ func (s *Server) previewHandler(w http.ResponseWriter, r *http.Request) {

 		if strings.HasPrefix(contentType, "text/x-markdown") || strings.HasPrefix(contentType, "text/markdown") {
 			escapedData := html.EscapeString(string(data))
-			output := blackfriday.MarkdownCommon([]byte(escapedData))
+			unsafe := blackfriday.Run([]byte(escapedData))
+			output := bluemonday.UGCPolicy().SanitizeBytes(unsafe)
 			content = html_template.HTML(output)
 		} else if strings.HasPrefix(contentType, "text/plain") {
 			content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", html.EscapeString(string(data))))
@ -985,6 +986,17 @@ func LoveHandler(h http.Handler) http.HandlerFunc {
 	}
 }

+func IPFilterHandler(h http.Handler, ipFilterOptions *IPFilterOptions) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if ipFilterOptions == nil {
+			h.ServeHTTP(w, r)
+		} else {
+			WrapIPFilter(h, *ipFilterOptions).ServeHTTP(w, r)
+		}
+		return
+	}
+}
+
 func (s *Server) BasicAuthHandler(h http.Handler) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if s.AuthUser == "" || s.AuthPass == "" {