editor/server: escape user provided link if insecure

2025-12-19 14:59:28 +00:00 · 2025-11-22 00:58:57 +08:00
parent 73347bfd93
commit 3c039efcd9
2 changed files with 25 additions and 1 deletions
--- a/editor/server/share.py
+++ b/editor/server/share.py
@@ -24,7 +24,7 @@ from . import (
    models
 )
-from .utils import fill_cf_template_params
+from .utils import fill_cf_template_params, sanitize_page_param_links
 # root_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), '../../')
 # examples_dir = os.path.join(root_dir, 'examples')
@@ -120,6 +120,7 @@ def get(name: str):
        params['what_can_i_do'] = html.escape(params.get('what_can_i_do', ''))
        fill_cf_template_params(params)
        fill_template_params(params)
        sanitize_page_param_links(params)
        return template.render(base=cf_template,
                               params=params,
--- a/editor/server/utils.py
+++ b/editor/server/utils.py
@@ -48,3 +48,26 @@ def fill_cf_template_params(params: dict):
    if not client_ip:
        client_ip = request.remote_addr
    params['client_ip'] = client_ip
 def sanitize_user_link(link: str):
    link = link.strip()
    link_lower = link
    if link_lower.startswith('http://') or link_lower.startswith('https://'):
        return link
    if '.' in link or '/' in link:
        return 'https://' + link
    return '#' + link
 def sanitize_page_param_links(param: dict):
    more_info = param.get('more_information')
    if more_info:
        link = more_info.get('link')
        if link:
            more_info['link'] = sanitize_user_link(link)
    perf_sec_by = param.get('perf_sec_by')
    if perf_sec_by:
        link = perf_sec_by.get('link')
        if link:
            perf_sec_by['link'] = sanitize_user_link(link)