Merge branch 'develop' into feature/load-module-tests

notzippy · web-flow · commit 95e9ae0de062 · 2017-05-17T20:20:03.000-07:00
diff --git a/.travis.yml b/.travis.yml
@@ -1,9 +1,6 @@
 language: go
 
 go:
-  - 1.4
-  - 1.5
-  - 1.6
   - 1.7
   - 1.8
   - tip
diff --git a/CHANGELOG.md b/CHANGELOG.md
diff --git a/README.md b/README.md
@@ -4,9 +4,9 @@
 
 A high productivity, full-stack web framework for the [Go language](http://www.golang.org).
 
-Current Version: 0.14.0 (2017-03-24)
+Current Version: 0.16.0-dev (2017-05-11)
 
-**As of Revel 0.13.0, Go 1.4+ is required.**
+**As of Revel 0.15.0, Go 1.7+ is required.**
 
 ## Quick Start
 
@@ -26,7 +26,6 @@ Open http://localhost:9000 in your browser and you should see "It works!"
 
 * [Gitter](https://gitter.im/revel/community)
 * [StackOverflow](http://stackoverflow.com/questions/tagged/revel)
-* [Google Groups](https://groups.google.com/forum/#!forum/revel-framework)
 
 ## Learn More
 
@@ -50,7 +49,7 @@ Finally, we'd like to thank the professional organizations that have supported t
 
 ## Announcements
 
-View the [v0.14.0 release notes](https://github.com/revel/revel/releases/tag/v0.14.0)
+View the [v0.15.0 release notes](https://github.com/revel/revel/releases/tag/v0.15.0)
 for all of the relevant changes.
 
 We are working on increasing the speed and quality of our releases. Your feedback has never been so valuable, please share your thoughts with us and help shape Revel!
diff --git a/i18n.go b/i18n.go
@@ -6,6 +6,7 @@ package revel
 
 import (
 	"fmt"
+	"html/template"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -85,7 +86,18 @@ func Message(locale, message string, args ...interface{}) string {
 
 	if len(args) > 0 {
 		TRACE.Printf("Arguments detected, formatting '%s' with %v", value, args)
-		value = fmt.Sprintf(value, args...)
+		safeArgs := make([]interface{}, 0, len(args))
+		for _, arg := range args {
+			switch a := arg.(type) {
+			case template.HTML:
+				safeArgs = append(safeArgs, a)
+			case string:
+				safeArgs = append(safeArgs, template.HTML(template.HTMLEscapeString(a)))
+			default:
+				safeArgs = append(safeArgs, a)
+			}
+		}
+		value = fmt.Sprintf(value, safeArgs...)
 	}
 
 	return value
diff --git a/i18n_test.go b/i18n_test.go
@@ -5,6 +5,7 @@
 package revel
 
 import (
+	"html/template"
 	"io/ioutil"
 	"log"
 	"net/http"
@@ -72,6 +73,14 @@ func TestI18nMessage(t *testing.T) {
 	if message := Message("nl", "unknown message"); message != "??? unknown message ???" {
 		t.Error("Message 'unknown message' is not supposed to exist")
 	}
+	// XSS
+	if message := Message("en", "arguments.string", "<img src=a onerror=alert(1) />"); message != "My name is &lt;img src=a onerror=alert(1) /&gt;" {
+		t.Error("XSS protection for messages is broken:", message)
+	}
+	// Avoid escaping HTML
+	if message := Message("en", "arguments.string", template.HTML("<img src=a onerror=alert(1) />")); message != "My name is <img src=a onerror=alert(1) />" {
+		t.Error("Passing safe HTML to message is broken:", message)
+	}
 }
 
 func TestI18nMessageWithDefaultLocale(t *testing.T) {
diff --git a/testing/testsuite_test.go b/testing/testsuite_test.go
@@ -76,7 +76,6 @@ func TestGetCustom(t *testing.T) {
 
 	testSuite.AssertOk()
 	testSuite.AssertContentType("application/json")
-	testSuite.AssertHeader("Server", "gunicorn/19.7.0")
 	testSuite.AssertContains("httpbin.org")
 	testSuite.AssertContainsRegex("gzip|deflate")
 }
diff --git a/version.go b/version.go
@@ -6,11 +6,11 @@ package revel
 
 const (
 	// Version current Revel version
-	Version = "0.14.0"
+	Version = "0.16.0-dev"
 
 	// BuildDate latest commit/release date
-	BuildDate = "2017-03-24"
+	BuildDate = "2017-05-11"
 
 	// MinimumGoVersion minimum required Go version for Revel
-	MinimumGoVersion = ">= go1.4"
+	MinimumGoVersion = ">= go1.7"
 )

-Original file line number
+Diff line change
@@ @@ -1,9 +1,6 @@ @@
 language: go
 go:
 -  - 1.4
 -  - 1.5
 -  - 1.6
   - 1.7
   - 1.8
   - tip
Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,6 @@ func TestGetCustom(t *testing.T) {`
`76`	`76`
`77`	`77`	`testSuite.AssertOk()`
`78`	`78`	`testSuite.AssertContentType("application/json")`
`79`		`- testSuite.AssertHeader("Server", "gunicorn/19.7.0")`
`80`	`79`	`testSuite.AssertContains("httpbin.org")`
`81`	`80`	`testSuite.AssertContainsRegex("gzip\|deflate")`
`82`	`81`	`}`