Merge pull request #306 from Bwko/Security

Fixes xss, clickjacking & password autocompletion

Author: metalmatze

modules/context/context.go

@@ -6,6 +6,7 @@ package context
 
 import (
 	"fmt"
+	"html"
 	"html/template"
 	"io"
 	"net/http"
@@ -186,8 +187,10 @@ func Contexter() macaron.Handler {
 			}
 		}
 
-		ctx.Data["CsrfToken"] = x.GetToken()
-		ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
+		ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
+
+		ctx.Data["CsrfToken"] = html.EscapeString(x.GetToken())
+		ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)
 		log.Debug("Session ID: %s", sess.ID())
 		log.Debug("CSRF Token: %v", ctx.Data["CsrfToken"])
 

templates/user/auth/reset_passwd.tmpl

@@ -13,7 +13,7 @@
 					{{if .IsResetForm}}
 						<div class="required inline field {{if .Err_Password}}error{{end}}">
 							<label for="password">{{.i18n.Tr "password"}}</label>
-							<input id="password" name="password" type="password"  value="{{.password}}" autofocus required>
+							<input id="password" name="password" type="password"  value="{{.password}}" autocomplete="off" autofocus required>
 						</div>
 						<div class="ui divider"></div>
 						<div class="inline field">

templates/user/auth/signin.tmpl

@@ -15,7 +15,7 @@
 					</div>
 					<div class="required inline field {{if .Err_Password}}error{{end}}">
 						<label for="password">{{.i18n.Tr "password"}}</label>
-						<input id="password" name="password" type="password" value="{{.password}}" required>
+						<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" required>
 					</div>
 					<div class="inline field">
 						<label></label>

templates/user/auth/signup.tmpl

@@ -22,11 +22,11 @@
 						</div>
 						<div class="required inline field {{if .Err_Password}}error{{end}}">
 							<label for="password">{{.i18n.Tr "password"}}</label>
-							<input id="password" name="password" type="password" value="{{.password}}" required>
+							<input id="password" name="password" type="password" value="{{.password}}" autocomplete="off" required>
 						</div>
 						<div class="required inline field {{if .Err_Password}}error{{end}}">
 							<label for="retype">{{.i18n.Tr "re_type"}}</label>
-							<input id="retype" name="retype" type="password" value="{{.retype}}" required>
+							<input id="retype" name="retype" type="password" value="{{.retype}}" autocomplete="off" required>
 						</div>
 						{{if .EnableCaptcha}}
 							<div class="inline field">

templates/user/settings/password.tmpl

@@ -14,15 +14,15 @@
 						{{.CsrfTokenHtml}}
 						<div class="required field {{if .Err_OldPassword}}error{{end}}">
 							<label for="old_password">{{.i18n.Tr "settings.old_password"}}</label>
-							<input id="old_password" name="old_password" type="password" autofocus required>
+							<input id="old_password" name="old_password" type="password" autocomplete="off" autofocus required>
 						</div>
 						<div class="required field {{if .Err_Password}}error{{end}}">
 							<label for="password">{{.i18n.Tr "settings.new_password"}}</label>
-							<input id="password" name="password" type="password" required>
+							<input id="password" name="password" type="password" autocomplete="off" required>
 						</div>
 						<div class="required field {{if .Err_Password}}error{{end}}">
 							<label for="retype">{{.i18n.Tr "settings.retype_new_password"}}</label>
-							<input id="retype" name="retype" type="password" required>
+							<input id="retype" name="retype" type="password" autocomplete="off" required>
 						</div>
 
 						<div class="field">
@@ -33,7 +33,7 @@
 					<div class="ui info message">
 						<p class="text left">{{$.i18n.Tr "settings.password_change_disabled"}}</p>
 					</div>
-					{{end}} 
+					{{end}}
 				</div>
 			</div>
 		</div>