Skip to content

Commit

Permalink
🔒 fix #645 xss vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
@xhofe
xhofe committed Mar 1, 2022
1 parent 5193b2a commit 6af17e2
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions server/controllers/other.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"github.com/Xhofe/alist/server/common"
"github.com/Xhofe/alist/utils"
"github.com/gin-gonic/gin"
"net/url"
"strings"
)

Expand All @@ -24,11 +25,19 @@ func Plist(c *gin.Context) {
return
}
u := string(bytes)
uUrl, err := url.Parse(u)
if err != nil {
common.ErrorResp(c, err, 500)
return
}
name := utils.Base(u)
u = uUrl.String()
ipaIndex := strings.Index(name, ".ipa")
if ipaIndex != -1 {
name = name[:ipaIndex]
}
name = strings.ReplaceAll(name, "<", "[")
name = strings.ReplaceAll(name, ">", "]")
plist := fmt.Sprintf(`<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
Expand Down

0 comments on commit 6af17e2

Please # to comment.