Changeset 27 in code
- Timestamp:
- Nov 21, 2016, 10:36:58 PM (9 years ago)
- File:
-
- 1 edited
-
trunk/morty.go (modified) (5 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/morty.go
r26 r27 12 12 "log" 13 13 "net/url" 14 "path" 14 15 "regexp" 15 16 "strings" … … 31 32 } 32 33 33 var CSS_URL_REGEXP *regexp.Regexp = regexp.MustCompile("url\\((['\"]?) ([\u0009\u0021\u0023-\u0026\u0028\u002a-\u007E]+)(['\"]?)\\)?")34 var CSS_URL_REGEXP *regexp.Regexp = regexp.MustCompile("url\\((['\"]?)[ \\t\\f]*([\u0009\u0021\u0023-\u0026\u0028\u002a-\u007E]+)(['\"]?)\\)?") 34 35 35 36 var UNSAFE_ELEMENTS [][]byte = [][]byte{ … … 382 383 if bytes.Equal(attr[0], []byte("action")) { 383 384 formURL, _ = url.Parse(string(attr[1])) 384 formURL =mergeURIs(rc.BaseURL, formURL)385 mergeURIs(rc.BaseURL, formURL) 385 386 break 386 387 } … … 526 527 } 527 528 528 func mergeURIs(u1, u2 *url.URL) (*url.URL) { 529 return u1.ResolveReference(u2) 529 func mergeURIs(u1, u2 *url.URL) { 530 if u2.Scheme == "" || u2.Scheme == "//" { 531 u2.Scheme = u1.Scheme 532 } 533 if u2.Host == "" && u1.Path != "" { 534 u2.Host = u1.Host 535 if len(u2.Path) == 0 || u2.Path[0] != '/' { 536 u2.Path = path.Join(u1.Path[:strings.LastIndexByte(u1.Path, byte('/'))], u2.Path) 537 } 538 } 530 539 } 531 540 532 541 func (rc *RequestConfig) ProxifyURI(uri string) (string, error) { 533 // remove javascript protocol534 if strings.HasPrefix(uri, "javascript:") {535 return "", nil536 }537 542 // TODO check malicious data: - e.g. data:script 538 543 if strings.HasPrefix(uri, "data:") { … … 548 553 return "", err 549 554 } 550 u =mergeURIs(rc.BaseURL, u)555 mergeURIs(rc.BaseURL, u) 551 556 552 557 uri = u.String()
Note:
See TracChangeset
for help on using the changeset viewer.
