From 84ecdae7ca322c818d026ab9c1a4ecff5d708d00 Mon Sep 17 00:00:00 2001 From: Alireza Ahmadi Date: Sun, 14 Jul 2024 03:19:12 +0200 Subject: [PATCH] safe login #1365 --- web/controller/index.go | 11 +++++++---- web/session/session.go | 3 +++ 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/web/controller/index.go b/web/controller/index.go index db2d55a3..f3056e07 100644 --- a/web/controller/index.go +++ b/web/controller/index.go @@ -2,6 +2,7 @@ package controller import ( "net/http" + "text/template" "time" "x-ui/logger" @@ -62,14 +63,16 @@ func (a *IndexController) login(c *gin.Context) { user := a.userService.CheckUser(form.Username, form.Password) timeStr := time.Now().Format("2006-01-02 15:04:05") + safeUser := template.HTMLEscapeString(form.Username) + safePass := template.HTMLEscapeString(form.Password) if user == nil { - logger.Infof("wrong username or password: \"%s\" \"%s\"", form.Username, form.Password) - a.tgbot.UserLoginNotify(form.Username, getRemoteIp(c), timeStr, 0) + logger.Infof("wrong username or password: \"%s\" \"%s\"", safeUser, safePass) + a.tgbot.UserLoginNotify(safeUser, getRemoteIp(c), timeStr, 0) pureJsonMsg(c, http.StatusOK, false, I18nWeb(c, "pages.login.toasts.wrongUsernameOrPassword")) return } else { - logger.Infof("%s Successful Login ,Ip Address: %s\n", form.Username, getRemoteIp(c)) - a.tgbot.UserLoginNotify(form.Username, getRemoteIp(c), timeStr, 1) + logger.Infof("%s Successful Login ,Ip Address: %s\n", safeUser, getRemoteIp(c)) + a.tgbot.UserLoginNotify(safeUser, getRemoteIp(c), timeStr, 1) } sessionMaxAge, err := a.settingService.GetSessionMaxAge() diff --git a/web/session/session.go b/web/session/session.go index 90c9c217..10cd5883 100644 --- a/web/session/session.go +++ b/web/session/session.go @@ -19,6 +19,9 @@ func init() { func SetLoginUser(c *gin.Context, user *model.User) error { s := sessions.Default(c) + s.Options(sessions.Options{ + HttpOnly: true, + }) s.Set(loginUser, user) return s.Save() }