mirror of
https://github.com/Dvorinka/MyClubServer.git
synced 2026-06-04 02:32:57 +00:00
upload
This commit is contained in:
Tomáš Dvořák
@@ -0,0 +1,82 @@
|
||||
package utils
|
||||
|
||||
import (
|
||||
"regexp"
|
||||
"strings"
|
||||
)
|
||||
|
||||
// SanitizeHTML removes potentially dangerous HTML tags and attributes
|
||||
// This is a basic implementation. For production, consider using bluemonday library
|
||||
func SanitizeHTML(html string) string {
|
||||
// Remove script tags and content
|
||||
reScript := regexp.MustCompile(`(?i)<script[^>]*>.*?</script>`)
|
||||
html = reScript.ReplaceAllString(html, "")
|
||||
|
||||
// Remove inline event handlers (onclick, onerror, etc.)
|
||||
reEvents := regexp.MustCompile(`(?i)\s*on\w+\s*=\s*["'][^"']*["']`)
|
||||
html = reEvents.ReplaceAllString(html, "")
|
||||
|
||||
// Remove javascript: URLs
|
||||
reJSURL := regexp.MustCompile(`(?i)javascript:`)
|
||||
html = reJSURL.ReplaceAllString(html, "")
|
||||
|
||||
// Remove iframe tags (can be optionally allowed if needed)
|
||||
reIframe := regexp.MustCompile(`(?i)<iframe[^>]*>.*?</iframe>`)
|
||||
html = reIframe.ReplaceAllString(html, "")
|
||||
|
||||
// Remove object/embed tags
|
||||
reObject := regexp.MustCompile(`(?i)<(object|embed)[^>]*>.*?</\1>`)
|
||||
html = reObject.ReplaceAllString(html, "")
|
||||
|
||||
// Remove style tags (if CSS injection is a concern)
|
||||
// Uncomment if you want to remove inline styles
|
||||
// reStyle := regexp.MustCompile(`(?i)<style[^>]*>.*?</style>`)
|
||||
// html = reStyle.ReplaceAllString(html, "")
|
||||
|
||||
return strings.TrimSpace(html)
|
||||
}
|
||||
|
||||
// SanitizeString removes HTML tags entirely and returns plain text
|
||||
func SanitizeString(input string) string {
|
||||
// Remove all HTML tags
|
||||
reHTML := regexp.MustCompile(`<[^>]*>`)
|
||||
text := reHTML.ReplaceAllString(input, " ")
|
||||
|
||||
// Normalize whitespace
|
||||
text = strings.Join(strings.Fields(text), " ")
|
||||
|
||||
return strings.TrimSpace(text)
|
||||
}
|
||||
|
||||
// ValidateURL checks if a URL is safe (http/https only)
|
||||
func ValidateURL(url string) bool {
|
||||
if url == "" {
|
||||
return true
|
||||
}
|
||||
lower := strings.ToLower(strings.TrimSpace(url))
|
||||
return strings.HasPrefix(lower, "http://") || strings.HasPrefix(lower, "https://") || strings.HasPrefix(lower, "/")
|
||||
}
|
||||
|
||||
// SanitizeFilename removes dangerous characters from filenames
|
||||
func SanitizeFilename(filename string) string {
|
||||
// Remove path traversal attempts
|
||||
filename = strings.ReplaceAll(filename, "..", "")
|
||||
filename = strings.ReplaceAll(filename, "/", "")
|
||||
filename = strings.ReplaceAll(filename, "\\", "")
|
||||
|
||||
// Allow only safe characters
|
||||
re := regexp.MustCompile(`[^a-zA-Z0-9._-]`)
|
||||
filename = re.ReplaceAllString(filename, "_")
|
||||
|
||||
// Limit length
|
||||
if len(filename) > 200 {
|
||||
filename = filename[:200]
|
||||
}
|
||||
|
||||
return filename
|
||||
}
|
||||
|
||||
// RemoveNullBytes removes null bytes that can cause issues
|
||||
func RemoveNullBytes(s string) string {
|
||||
return strings.ReplaceAll(s, "\x00", "")
|
||||
}
|
||||
Reference in New Issue
Block a user