github
/
alist
mirror of https://github.com/Xhofe/alist
1
0
Fork 0
Code Issues Releases Wiki Activity

🔒 fix #645 xss vulnerability

pull/659/head
Xhofe 2022-03-01 20:09:25 +08:00
parent 5193b2aa7d
commit 6af17e2509
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
server/controllers/other.go
View File

@ -7,6 +7,7 @@ import (
"github.com/Xhofe/alist/server/common"
"github.com/Xhofe/alist/utils"
"github.com/gin-gonic/gin"
"net/url"
"strings"
)
@ -24,11 +25,19 @@ func Plist(c *gin.Context) {
return
}
u := string(bytes)
uUrl, err := url.Parse(u)
if err != nil {
common.ErrorResp(c, err, 500)
return
}
name := utils.Base(u)
u = uUrl.String()
ipaIndex := strings.Index(name, ".ipa")
if ipaIndex != -1 {
name = name[:ipaIndex]
}
name = strings.ReplaceAll(name, "<", "[")
name = strings.ReplaceAll(name, ">", "]")
plist := fmt.Sprintf(`<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>