browse: Sanitize file names and links in default template

Thanks to Kevin Froman (@beardog108) for the responsible heads up.
2025-11-04 03:27:23 -05:00 · 2017-01-23 22:37:46 -07:00 · 2017-01-23 22:37:46 -07:00 · 62fea30e87
commit 62fea30e87
parent bbee961415
1 changed files with 5 additions and 5 deletions
--- a/caddyhttp/browse/setup.go
+++ b/caddyhttp/browse/setup.go
@ -101,7 +101,7 @@ func browseParse(c *caddy.Controller) ([]Config, error) {
 const defaultTemplate = `<!DOCTYPE html>
 <html>
 	<head>
-		<title>{{.Name}}</title>
+		<title>{{html .Name}}</title>
 		<meta charset="utf-8">
 		<meta name="viewport" content="width=device-width, initial-scale=1.0">
 <style>
@ -323,7 +323,7 @@ footer {
 		<header>
 			<h1>
-				{{range $url, $name := .BreadcrumbMap}}<a href="{{$url}}">{{$name}}</a>{{if ne $url "/"}}/{{end}}{{end}}
+				{{range $url, $name := .BreadcrumbMap}}<a href="{{html $url}}">{{html $name}}</a>{{if ne $url "/"}}/{{end}}{{end}}
 			</h1>
 		</header>
 		<main>
@ -385,13 +385,13 @@ footer {
 					{{- range .Items}}
 					<tr class="file">
 						<td>
-							<a href="{{.URL}}">
+							<a href="{{html .URL}}">
 								{{- if .IsDir}}
 								<svg width="1.5em" height="1em" version="1.1" viewBox="0 0 35.678803 28.527945"><use xlink:href="#folder"></use></svg>
 								{{- else}}
 								<svg width="1.5em" height="1em" version="1.1" viewBox="0 0 26.604381 29.144726"><use xlink:href="#file"></use></svg>
 								{{- end}}
-								<span class="name">{{.Name}}</span>
+								<span class="name">{{html .Name}}</span>
 							</a>
 						</td>
 						{{- if .IsDir}}
@ -407,7 +407,7 @@ footer {
 			</div>
 		</main>
 		<footer>
-			Served with <a rel="noopener noreferrer" href="https://caddyserver.com">Caddy</a>.
+			Served with <a rel="noopener noreferrer" href="https://caddyserver.com">Caddy</a>
 		</footer>
 		<script>
 			var filterEl = document.getElementById('filter');