No description

Pierre-Olivier Mercier 93673510d8 fix(security): escape LDAP attribute data in HTML output to prevent XSS (CWE-79) ... Use html.EscapeString for attribute names and values when building HTML. Move dynamic data (alias URL, API token) to data-* attributes and use a self-contained onclick function to read them, eliminating JS string injection via LDAP-controlled values. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>		2026-03-06 15:30:48 +07:00
static	fix(security): redesign password reset tokens using crypto/rand with server-side storage	2026-03-06 15:30:48 +07:00
.drone.yml	Replace bindata by embed	2024-05-31 15:52:25 +02:00
.gitignore	chldapasswd is now a go module	2021-02-03 15:16:19 +01:00
addy.go	Can delete own aliases	2026-03-06 15:30:48 +07:00
change.go	fix(security): redesign password reset tokens using crypto/rand with server-side storage	2026-03-06 15:30:48 +07:00
csrf.go	fix(security): redesign password reset tokens using crypto/rand with server-side storage	2026-03-06 15:30:48 +07:00
Dockerfile	Replace bindata by embed	2024-05-31 15:52:25 +02:00
go.mod	chore(deps): update dependency go to v1.26.0	2026-03-06 15:30:48 +07:00
go.sum	chore(deps): update module github.com/go-ldap/ldap/v3 to v3.4.12	2026-03-06 15:30:48 +07:00
ldap.go	fix(security): redesign password reset tokens using crypto/rand with server-side storage	2026-03-06 15:30:48 +07:00
login.go	fix(security): escape LDAP attribute data in HTML output to prevent XSS (CWE-79)	2026-03-06 15:30:48 +07:00
lost.go	fix(security): redesign password reset tokens using crypto/rand with server-side storage	2026-03-06 15:30:48 +07:00
main.go	fix(security): redesign password reset tokens using crypto/rand with server-side storage	2026-03-06 15:30:48 +07:00
renovate.json	Add renovate.json	2021-08-03 09:02:00 +00:00
reset.go	fix(security): redesign password reset tokens using crypto/rand with server-side storage	2026-03-06 15:30:48 +07:00
static.go	Replace bindata by embed	2024-05-31 15:52:25 +02:00