backend: fix XSS in team name and events
This commit is contained in:
parent
ca8bac1ac8
commit
429cd3010c
|
|
@ -5,6 +5,7 @@ import (
|
||||||
"encoding/binary"
|
"encoding/binary"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"html"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"log"
|
"log"
|
||||||
"math/rand"
|
"math/rand"
|
||||||
|
|
@ -49,7 +50,7 @@ func treatOpeningHint(pathname string, team fic.Team) {
|
||||||
log.Printf("%s [WRN] %s\n", id, err)
|
log.Printf("%s [WRN] %s\n", id, err)
|
||||||
} else if theme, err := fic.GetTheme(exercice.IdTheme); err != nil {
|
} else if theme, err := fic.GetTheme(exercice.IdTheme); err != nil {
|
||||||
log.Printf("%s [WRN] %s\n", id, err)
|
log.Printf("%s [WRN] %s\n", id, err)
|
||||||
} else if _, err = fic.NewEvent(fmt.Sprintf("L'équipe %s a dévoilé un indice pour le <strong>%d<sup>e</sup></strong> défi %s !", team.Name, lvl, theme.Name), "info"); err != nil {
|
} else if _, err = fic.NewEvent(fmt.Sprintf("L'équipe %s a dévoilé un indice pour le <strong>%d<sup>e</sup></strong> défi %s !", html.EscapeString(team.Name), lvl, theme.Name), "info"); err != nil {
|
||||||
log.Printf("%s [WRN] Unable to create event: %s\n", id, err)
|
log.Printf("%s [WRN] Unable to create event: %s\n", id, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,7 @@ import (
|
||||||
"encoding/binary"
|
"encoding/binary"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"html"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"log"
|
"log"
|
||||||
"math/rand"
|
"math/rand"
|
||||||
|
|
@ -86,7 +87,7 @@ func treatRegistration(pathname string, team_id string) {
|
||||||
if err := os.Remove(pathname); err != nil {
|
if err := os.Remove(pathname); err != nil {
|
||||||
log.Printf("%s [WRN] %s\n", id, err)
|
log.Printf("%s [WRN] %s\n", id, err)
|
||||||
}
|
}
|
||||||
if _, err := fic.NewEvent(fmt.Sprintf("Souhaitons bonne chance à l'équipe <strong>%s</strong> qui vient de nous rejoindre !", team.Name), "info"); err != nil {
|
if _, err := fic.NewEvent(fmt.Sprintf("Souhaitons bonne chance à l'équipe <strong>%s</strong> qui vient de nous rejoindre !", html.EscapeString(team.Name)), "info"); err != nil {
|
||||||
log.Printf("%s [WRN] Unable to create event: %s\n", id, err)
|
log.Printf("%s [WRN] Unable to create event: %s\n", id, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,7 @@ import (
|
||||||
"encoding/binary"
|
"encoding/binary"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"html"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"log"
|
"log"
|
||||||
"math/rand"
|
"math/rand"
|
||||||
|
|
@ -38,7 +39,7 @@ func treatRename(pathname string, team fic.Team) {
|
||||||
log.Printf("%s [WRN] Unable to change team name: %s\n", id, err)
|
log.Printf("%s [WRN] Unable to change team name: %s\n", id, err)
|
||||||
}
|
}
|
||||||
genTeamQueue <- &team
|
genTeamQueue <- &team
|
||||||
if _, err := fic.NewEvent(fmt.Sprintf("Souhaitons bonne chance à l'équipe <strong>%s</strong> qui vient de nous rejoindre !", team.Name), "info"); err != nil {
|
if _, err := fic.NewEvent(fmt.Sprintf("Souhaitons bonne chance à l'équipe <strong>%s</strong> qui vient de nous rejoindre !", html.EscapeString(team.Name)), "info"); err != nil {
|
||||||
log.Printf("%s [WRN] Unable to create event: %s\n", id, err)
|
log.Printf("%s [WRN] Unable to create event: %s\n", id, err)
|
||||||
}
|
}
|
||||||
appendGenQueue(genStruct{Type: GenEvents})
|
appendGenQueue(genStruct{Type: GenEvents})
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,7 @@ import (
|
||||||
"encoding/binary"
|
"encoding/binary"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"html"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"log"
|
"log"
|
||||||
"math/rand"
|
"math/rand"
|
||||||
|
|
@ -127,7 +128,7 @@ func treatSubmission(pathname string, team fic.Team, exercice_id string) {
|
||||||
// Write event
|
// Write event
|
||||||
if lvl, err := exercice.GetLevel(); err != nil {
|
if lvl, err := exercice.GetLevel(); err != nil {
|
||||||
log.Println(id, "[ERR] Unable to get exercice level:", err)
|
log.Println(id, "[ERR] Unable to get exercice level:", err)
|
||||||
} else if _, err := fic.NewEvent(fmt.Sprintf("L'équipe %s a résolu le <strong>%d<sup>e</sup></strong> défi %s !", team.Name, lvl, theme.Name), "success"); err != nil {
|
} else if _, err := fic.NewEvent(fmt.Sprintf("L'équipe %s a résolu le <strong>%d<sup>e</sup></strong> défi %s !", html.EscapeString(team.Name), lvl, theme.Name), "success"); err != nil {
|
||||||
log.Println(id, "[WRN] Unable to create event:", err)
|
log.Println(id, "[WRN] Unable to create event:", err)
|
||||||
}
|
}
|
||||||
genTeamQueue <- &team
|
genTeamQueue <- &team
|
||||||
|
|
@ -140,7 +141,7 @@ func treatSubmission(pathname string, team fic.Team, exercice_id string) {
|
||||||
if tm.Unix() == 0 {
|
if tm.Unix() == 0 {
|
||||||
if lvl, err := exercice.GetLevel(); err != nil {
|
if lvl, err := exercice.GetLevel(); err != nil {
|
||||||
log.Println(id, "[ERR] Unable to get exercice level:", err)
|
log.Println(id, "[ERR] Unable to get exercice level:", err)
|
||||||
} else if _, err := fic.NewEvent(fmt.Sprintf("L'équipe %s tente le <strong>%d<sup>e</sup></strong> défi %s !", team.Name, lvl, theme.Name), "warning"); err != nil {
|
} else if _, err := fic.NewEvent(fmt.Sprintf("L'équipe %s tente le <strong>%d<sup>e</sup></strong> défi %s !", html.EscapeString(team.Name), lvl, theme.Name), "warning"); err != nil {
|
||||||
log.Println(id, "[WRN] Unable to create event:", err)
|
log.Println(id, "[WRN] Unable to create event:", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue