What do you guys think Code: https://www.dropbox.com/s/q7d5cj85o0o8mo6/gowiki.zip?dl=0
Made it with the go web applications tutorial and added a few editions of my own, haven't added css doe. If you're ever stuck on the exercises at the end, I did them all in this.
even better now, I'm still learning how to use git/github so I'm gonna just post a link to the files. Its more secure now in that it escapes all text except for the links. So a <script> element isn't run by the browser, but its still displayed, the old version filtered them. I think its a more elegant solution now.
评论:
elithrar_:
JuicyMeJacKanoff:Link fails (nothing listening). You might be better served by putting the code up on GitHub or BitBucket rather than providing a zip file download.
xbudex:my bad. I was updating it, its up now! Don't know how to use either just yet, will try, thanks!
izuriel:Do yourself a favor and learn git. Like right away. You will thank yourself later. Seriously, the importance of source control cannot be understated.
jcbwlkr:I know this great resource for basics: try.github.com
JuicyMeJacKanoff:Configure your editor to run
gofmtorgoimportson your code every time you save your changes. For this there are not a lot of changes but in the long run you and everyone else you work with will appreciate it.
sharptierce:gotcha, thanks.
JuicyMeJacKanoff:Do yourself a favor and put that website offline right now. I could misuse this in any way want.
Start by reading this: https://en.wikipedia.org/wiki/Cross-site_scripting
It seems this is only a hobby project but you should be more careful since its reachable from everyone. Additionally if you make it public through reddit.
sharptierce:it doesn't allow script elements, what is wrong? Only reason I don't escape html is so that you can type [pagename] and it auto inserts the link to that page. Im too lazy to implement a better algorithm for that.
Well most wiki creators are too lazy. That's why they implement a meta lanuage like markdown or wiki syntax. Because it whitelists all operations that are allowed in a wiki. Not a blacklist with infinite entries and combinations.
Filtering script tags is only one protection. There are many other scenarios like inserting iframe tags and doing csrf attacks.
If you later on plan on adding authentication, it would allow me to capture cookies of all users and authenticate as their account and so on...
Like a said, it's awesome that you started learning this stuff, and if you put your code to github or anything it's nothing wrong with that. But letting the server run public it's just dangerous.
Maybe this will help you a lil bit more: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
