oss/miniflux-v2
oss/miniflux-v2
1
0
Fork 0
mirror of https://github.com/miniflux/v2.git synced 2025-07-02 16:38:37 +00:00
Code Wiki Activity

addImageTitle: Fix HTML injection

Browse source 
This rewrite rule would change this:

    <img title="<foo>">

to this:

    <figure><img><figcaption><foo></figcaption></figure>

The image title needs to be properly escaped.
This commit is contained in:
Peter De Wachter 2019-08-14 09:33:54 +02:00 committed by Frédéric Guillot
parent 3a39d110f0
commit ea2b6e3608
2 changed files with 11 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
reader/rewrite/rewrite_functions.go
View file

@ -6,6 +6,7 @@ package rewrite // import "miniflux.app/reader/rewrite"
import (
"fmt"
"html"
"regexp"
"strings"
@ -32,7 +33,7 @@ func addImageTitle(entryURL, entryContent string) string {
srcAttr, _ := img.Attr("src")
titleAttr, _ := img.Attr("title")
img.ReplaceWithHtml(`<figure><img src="` + srcAttr + `" alt="` + altAttr + `"/><figcaption><p>` + titleAttr + `</p></figcaption></figure>`)
img.ReplaceWithHtml(`<figure><img src="` + srcAttr + `" alt="` + altAttr + `"/><figcaption><p>` + html.EscapeString(titleAttr) + `</p></figcaption></figure>`)
})
output, _ := doc.Find("body").First().Html()