Merge pull request #3022 from chenpeiyuan/develop

do html escape before display path, avoid xss

Merge pull request #3022 from chenpeiyuan/develop
do html escape before display path, avoid xss
eb4e0e40 · astaxie · GitHub · 96dffcd2 · 47c1072b · eb4e0e40
Unverified Commit eb4e0e40 authored Jul 20, 2018 by astaxie Committed by GitHub Jul 20, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 0 deletions

admin.go admin.go +12 -0

No files found.
--- a/admin.go
+++ b/admin.go
@@ -76,6 +76,18 @@ func adminIndex(rw http.ResponseWriter, r *http.Request) {
 func qpsIndex(rw http.ResponseWriter, r *http.Request) {
 	data := make(map[interface{}]interface{})
 	data["Content"] = toolbox.StatisticsMap.GetMap()
+
+	// do html escape before display path, avoid xss
+	if content, ok := (data["Content"]).(map[string]interface{}); ok {
+		if resultLists, ok := (content["Data"]).([][]string); ok {
+			for i := range resultLists {
+				if len(resultLists[i]) > 0 {
+					resultLists[i][0] = template.HTMLEscapeString(resultLists[i][0])
+				}
+			}
+		}
+	}
+
 	execTpl(rw, data, qpsTpl, defaultScriptsTpl)
 }