Prevent XSS

ptman · ptman · commit 9f5bb1cdd4f8 · 2017-03-28T17:18:39.000+03:00
diff --git a/i18n.go b/i18n.go
@@ -6,6 +6,7 @@ package revel
 
 import (
 	"fmt"
+	"html/template"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -85,7 +86,18 @@ func Message(locale, message string, args ...interface{}) string {
 
 	if len(args) > 0 {
 		TRACE.Printf("Arguments detected, formatting '%s' with %v", value, args)
-		value = fmt.Sprintf(value, args...)
+		safeArgs := make([]interface{}, 0, len(args))
+		for _, arg := range args {
+			switch a := arg.(type) {
+			case template.HTML:
+				safeArgs = append(safeArgs, a)
+			case string:
+				safeArgs = append(safeArgs, template.HTML(template.HTMLEscapeString(a)))
+			default:
+				safeArgs = append(safeArgs, a)
+			}
+		}
+		value = fmt.Sprintf(value, safeArgs...)
 	}
 
 	return value
diff --git a/i18n_test.go b/i18n_test.go
@@ -5,6 +5,7 @@
 package revel
 
 import (
+	"html/template"
 	"io/ioutil"
 	"log"
 	"net/http"
@@ -72,6 +73,14 @@ func TestI18nMessage(t *testing.T) {
 	if message := Message("nl", "unknown message"); message != "??? unknown message ???" {
 		t.Error("Message 'unknown message' is not supposed to exist")
 	}
+	// XSS
+	if message := Message("en", "arguments.string", "<img src=a onerror=alert(1) />"); message != "My name is &lt;img src=a onerror=alert(1) /&gt;" {
+		t.Error("XSS protection for messages is broken:", message)
+	}
+	// Avoid escaping HTML
+	if message := Message("en", "arguments.string", template.HTML("<img src=a onerror=alert(1) />")); message != "My name is <img src=a onerror=alert(1) />" {
+		t.Error("Passing safe HTML to message is broken:", message)
+	}
 }
 
 func TestI18nMessageWithDefaultLocale(t *testing.T) {
