瀏覽代碼

safe login

Co-Authored-By: Alireza Ahmadi <[email protected]>
mhsanaei 4 月之前
父節點
當前提交
de985263f5
共有 1 個文件被更改,包括 8 次插入4 次删除
  1. 8 4
      web/controller/index.go

+ 8 - 4
web/controller/index.go

@@ -2,6 +2,7 @@ package controller
 
 import (
 	"net/http"
+	"text/template"
 	"time"
 
 	"x-ui/logger"
@@ -64,14 +65,17 @@ func (a *IndexController) login(c *gin.Context) {
 
 	user := a.userService.CheckUser(form.Username, form.Password, form.LoginSecret)
 	timeStr := time.Now().Format("2006-01-02 15:04:05")
+	safeUser := template.HTMLEscapeString(form.Username)
+	safePass := template.HTMLEscapeString(form.Password)
+	safeSecret := template.HTMLEscapeString(form.LoginSecret)
 	if user == nil {
-		logger.Warningf("wrong username or password or secret: \"%s\" \"%s\" \"%s\"", form.Username, form.Password, form.LoginSecret)
-		a.tgbot.UserLoginNotify(form.Username, form.Password, getRemoteIp(c), timeStr, 0)
+		logger.Warningf("wrong username or password or secret: \"%s\" \"%s\" \"%s\"", safeUser, safePass, safeSecret)
+		a.tgbot.UserLoginNotify(safeUser, safePass, getRemoteIp(c), timeStr, 0)
 		pureJsonMsg(c, http.StatusOK, false, I18nWeb(c, "pages.login.toasts.wrongUsernameOrPassword"))
 		return
 	} else {
-		logger.Infof("%s logged in successfully, Ip Address: %s\n", form.Username, getRemoteIp(c))
-		a.tgbot.UserLoginNotify(form.Username, ``, getRemoteIp(c), timeStr, 1)
+		logger.Infof("%s logged in successfully, Ip Address: %s\n", safeUser, getRemoteIp(c))
+		a.tgbot.UserLoginNotify(safeUser, ``, getRemoteIp(c), timeStr, 1)
 	}
 
 	sessionMaxAge, err := a.settingService.GetSessionMaxAge()