Remove the TODO a line above that, and please add a test. On Wed, Nov ...
10 years, 5 months ago
(2013-11-13 15:08:26 UTC)
#2
Remove the TODO a line above that, and please add a test.
On Wed, Nov 13, 2013 at 6:13 AM, <mattn.jp@gmail.com> wrote:
> Reviewers: golang-dev1,
>
> Message:
> Hello golang-dev@googlegroups.com,
>
> I'd like you to review this change to
> http://go.googlecode.com/hg/
>
>
> Description:
> net/http: escape url/html in directory index
>
> Please review this at https://codereview.appspot.com/26090043/
>
> Affected files (+2, -1 lines):
> M src/pkg/net/http/fs.go
>
>
> Index: src/pkg/net/http/fs.go
> ===================================================================
> --- a/src/pkg/net/http/fs.go
> +++ b/src/pkg/net/http/fs.go
> @@ -13,6 +13,7 @@
> "mime"
> "mime/multipart"
> "net/textproto"
> + "net/url"
> "os"
> "path"
> "path/filepath"
> @@ -74,7 +75,7 @@
> name += "/"
> }
> // TODO htmlescape
> - fmt.Fprintf(w, "<a href=\"%s\">%s</a>\n", name,
> name)
> + fmt.Fprintf(w, "<a href=\"%s\">%s</a>\n",
> url.QueryEscape(name), htmlEscape(name))
> }
> }
> fmt.Fprintf(w, "</pre>\n")
>
>
> --
>
> ---You received this message because you are subscribed to the Google
> Groups "golang-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-dev+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
10 years, 5 months ago
(2013-11-15 08:24:14 UTC)
#4
On 2013/11/14 00:36:41, mattn wrote:
> Hello mailto:golang-dev@googlegroups.com, mailto:bradfitz@golang.org (cc:
> mailto:golang-dev@googlegroups.com),
>
> Please take another look.
Could you please review this?
The tree is closed for two weeks anyway. But looks fine. I haven't looked at ...
10 years, 5 months ago
(2013-11-15 14:51:32 UTC)
#5
The tree is closed for two weeks anyway. But looks fine. I haven't looked
at the test in detail.
On Nov 15, 2013 12:24 AM, <mattn.jp@gmail.com> wrote:
> On 2013/11/14 00:36:41, mattn wrote:
>
>> Hello mailto:golang-dev@googlegroups.com, mailto:bradfitz@golang.org
>>
> (cc:
>
>> mailto:golang-dev@googlegroups.com),
>>
>
> Please take another look.
>>
>
> Could you please review this?
>
> https://codereview.appspot.com/26090043/
>
LGTM but wait for bradfitz https://codereview.appspot.com/26090043/diff/100001/src/pkg/net/http/fs_test.go File src/pkg/net/http/fs_test.go (right): https://codereview.appspot.com/26090043/diff/100001/src/pkg/net/http/fs_test.go#newcode467 src/pkg/net/http/fs_test.go:467: t.Errorf("directory index got link ...
10 years, 4 months ago
(2013-12-09 20:58:14 UTC)
#6
https://codereview.appspot.com/26090043/diff/100001/src/pkg/net/http/fs_test.go File src/pkg/net/http/fs_test.go (right): https://codereview.appspot.com/26090043/diff/100001/src/pkg/net/http/fs_test.go#newcode467 src/pkg/net/http/fs_test.go:467: t.Errorf("directory index got link %q, should be matched %q", ...
10 years, 4 months ago
(2013-12-10 00:40:48 UTC)
#7
10 years, 4 months ago
(2013-12-10 12:01:25 UTC)
#9
https://codereview.appspot.com/26090043/diff/120001/src/pkg/net/http/fs.go
File src/pkg/net/http/fs.go (right):
https://codereview.appspot.com/26090043/diff/120001/src/pkg/net/http/fs.go#ne...
src/pkg/net/http/fs.go:77: fmt.Fprintf(w, "<a href=\"%s\">%s</a>\n",
url.QueryEscape(name), htmlEscape(name))
On 2013/12/10 11:32:04, bradfitz wrote:
> why url.QueryEscape? This isn't query parameter that you need to %xx escape.
I
> think they should both be htmlEscape.
If you create a directory named '"', it must be escaped with % not "
So it should be:
<a href="%22">"</a>
If someone create '<', it will occur XSS. (I know they won't publish directory
index for unknown users)
not lgtm https://codereview.appspot.com/26090043/diff/140002/src/pkg/net/http/fs.go File src/pkg/net/http/fs.go (right): https://codereview.appspot.com/26090043/diff/140002/src/pkg/net/http/fs.go#newcode64 src/pkg/net/http/fs.go:64: var noEsc = []byte(`!$&'()*+,-./0123456789:=@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz~`) there are packages ...
10 years, 4 months ago
(2013-12-26 19:29:41 UTC)
#15
Issue 26090043: code review 26090043: net/http: escape url/html in directory index
Created 10 years, 5 months ago by mattn
Modified 10 years, 3 months ago
Reviewers: golang-codereviews, bradfitz, r, gobot
Base URL:
Comments: 12