From e35e6b0f450e3a947a41e491d5c1765e521e0244 Mon Sep 17 00:00:00 2001
From: Wim Brand <fornax@fornaxian.com>
Date: Mon, 7 Dec 2020 22:23:29 +0100
Subject: [PATCH] fix XSS on opengraph tags

---
 res/include/md/subscribe.md           |   2 +-
 res/template/file_viewer.html         |  26 +++--
 res/template/file_viewer_compat.html  |   2 +-
 res/template/filesystem_svelte.html   |   2 +-
 res/template/fragments/opengraph.html |  13 +++
 webcontroller/file_viewer.go          |   9 +-
 webcontroller/opengraph.go            | 136 ++++++++++++--------------
 webcontroller/templates.go            |   2 +-
 8 files changed, 95 insertions(+), 97 deletions(-)
 create mode 100644 res/template/fragments/opengraph.html

diff --git a/res/include/md/subscribe.md b/res/include/md/subscribe.md
index e106f34..4989538 100644
--- a/res/include/md/subscribe.md
+++ b/res/include/md/subscribe.md
@@ -65,4 +65,4 @@ See our subscription plans on Patreon
 
 After ordering you will receive an e-mail with a link to activate your
 subscription. The subscription will be linked to the pixeldrain account you're
-currently loggin into.
+currently logged into.
diff --git a/res/template/file_viewer.html b/res/template/file_viewer.html
index dac0d75..1cbc15b 100644
--- a/res/template/file_viewer.html
+++ b/res/template/file_viewer.html
@@ -24,7 +24,7 @@
 		{{template `modal.css`}}
 		</style>
 
-		{{.OGData}}
+		{{ template "opengraph" .OGData }}
 	</head>
 
 	<body>
@@ -81,19 +81,17 @@
 
 					{{ if and .Other.FileAdsEnabled .Other.UserAdsEnabled }}
 					<hr/>
-					<div style="text-align: center; line-height: 1.4em">
-						<!-- scrolling="no" is not allowed by the W3C, but overflow: hidden doesn't work in chrome, so I have no choice -->
-						<iframe
-							data-aa="73974"
-							src="//ad.a-ads.com/73974?size=120x600&background_color={{.Style.Layer1Color.RGB}}&text_color={{.Style.TextColor.RGB}}&title_color={{.Style.HighlightColor.RGB}}&title_hover_color={{.Style.HighlightColor.RGB}}&link_color={{.Style.HighlightColor.RGB}}&link_hover_color={{.Style.HighlightColor.RGB}}"
-							style="width:120px; height:600px; border:none; padding:0; overflow:hidden;"
-							scrolling="no">
-						</iframe>
-						<br/>
-						<a class="button" href="https://a-ads.com/campaigns/new?selected_ad_unit_id=73974&selected_source_type=ad_unit&partner=73974">
-							Put your own advertisement here
-						</a>
-					</div>
+					Tired of ads?<br/>
+					Files expiring too soon?<br/>
+					<a class="button button_highlight" href="/click/7wy9gg2J?target=%2Fsubscribe">
+						<svg style="float: left; width: 2em; height: 2em; fill: currentColor;" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
+							<g fill-rule="evenodd">
+								<path d="M64.1102,0.1004 C44.259,0.1004 28.1086,16.2486 28.1086,36.0986 C28.1086,55.8884 44.259,71.989 64.1102,71.989 C83.9,71.989 100,55.8884 100,36.0986 C100,16.2486 83.9,0.1004 64.1102,0.1004"/>
+								<polygon points=".012 95.988 17.59 95.988 17.59 .1 .012 .1"/>
+							</g>
+						</svg>
+						Become a Patron!
+					</a>
 					{{ end }}
 
 					<!-- This frame will load the download URL when a download button is pressed -->
diff --git a/res/template/file_viewer_compat.html b/res/template/file_viewer_compat.html
index 46b392e..da15a6b 100644
--- a/res/template/file_viewer_compat.html
+++ b/res/template/file_viewer_compat.html
@@ -23,7 +23,7 @@
 		{{template `viewer.css`}}
 		</style>
 
-		{{.OGData}}
+		{{ template "opengraph" .OGData }}
 	</head>
 
 	<body>
diff --git a/res/template/filesystem_svelte.html b/res/template/filesystem_svelte.html
index e705237..37a7808 100644
--- a/res/template/filesystem_svelte.html
+++ b/res/template/filesystem_svelte.html
@@ -19,7 +19,7 @@
 		<link rel="shortcut icon" sizes="196x196" href="/res/img/pixeldrain_196.png" />
 		<meta name="theme-color" content="#75AD38"/>
 
-		{{.OGData}}
+		{{ template "opengraph" .OGData }}
 		<script>
 			const initialNode = {{.Other}};
 			window.api_endpoint = '{{.APIEndpoint}}';
diff --git a/res/template/fragments/opengraph.html b/res/template/fragments/opengraph.html
new file mode 100644
index 0000000..527e3d6
--- /dev/null
+++ b/res/template/fragments/opengraph.html
@@ -0,0 +1,13 @@
+{{ define "opengraph" }}
+
+{{ range $kv := .OGRules }}
+	<meta property="{{ $kv.Key }}" content="{{ $kv.Value }}" />
+{{ end }}
+{{ range $kv := .TwitterRules }}
+	<meta name="{{ $kv.Key }}" content="{{ $kv.Value }}" />
+{{ end }}
+{{ range $kv := .LinkRules }}
+	<link rel="{{ $kv.Key }}" href="{{ $kv.Value }}" />
+{{ end }}
+
+{{ end }}
diff --git a/webcontroller/file_viewer.go b/webcontroller/file_viewer.go
index 421a980..a9deed8 100644
--- a/webcontroller/file_viewer.go
+++ b/webcontroller/file_viewer.go
@@ -44,12 +44,12 @@ func adType() int {
 	// Intn returns a number up to n, but never n itself. So to get a random 0
 	// or 1 we need to give it n=2. We can use this function to make other
 	// splits like 1/3 1/4, etc
-	switch i := rand.Intn(8); i {
-	case 0, 1, 2, 3:
+	switch i := rand.Intn(10); i {
+	case 0, 1:
 		return amarulaSolutions
-	case 4, 5:
+	case 2, 3, 4:
 		return adMaven
-	case 6, 7:
+	case 5, 6, 7, 8, 9:
 		return propellerAds
 	default:
 		panic(fmt.Errorf(
@@ -282,7 +282,6 @@ func (wc *WebController) serveSkynetViewer(w http.ResponseWriter, r *http.Reques
 		name = params["filename"]
 	}
 
-	templateData.OGData = ""
 	templateData.Title = fmt.Sprintf("name ~ Skynet")
 	templateData.Other = viewerData{
 		Type:   "skylink",
diff --git a/webcontroller/opengraph.go b/webcontroller/opengraph.go
index 3693f83..7cffb09 100644
--- a/webcontroller/opengraph.go
+++ b/webcontroller/opengraph.go
@@ -1,99 +1,87 @@
 package webcontroller
 
 import (
-	"html/template"
 	"strings"
 
 	"fornaxian.tech/pixeldrain_server/api/restapi/apitype"
 )
 
-type ogRule struct {
-	Prop    string
-	Content string
+type ogData struct {
+	OGRules      []ogProp
+	TwitterRules []ogProp
+	LinkRules    []ogProp
 }
 
-func (o ogRule) HTML() template.HTML {
-	return template.HTML(`<meta property="` + o.Prop + `" content="` + o.Content + `"/>` + "\n")
+type ogProp struct {
+	Key   string
+	Value string
 }
 
-type twitterRule struct {
-	Name    string
-	Content string
-}
+func (og *ogData) addOG(k, v string)      { og.OGRules = append(og.OGRules, ogProp{k, v}) }
+func (og *ogData) addTwitter(k, v string) { og.TwitterRules = append(og.TwitterRules, ogProp{k, v}) }
+func (og *ogData) addLink(k, v string)    { og.LinkRules = append(og.LinkRules, ogProp{k, v}) }
 
-func (o twitterRule) HTML() template.HTML {
-	return template.HTML(`<meta name="` + o.Name + `" content="` + o.Content + `"/>` + "\n")
-}
-
-type linkRule struct {
-	Rel  string
-	HREF string
-}
-
-func (o linkRule) HTML() template.HTML {
-	return template.HTML(`<link rel="` + o.Rel + `" href="` + o.HREF + `"/>` + "\n")
-}
-
-func metadataFromFile(f apitype.FileInfo) (meta template.HTML) {
-	meta += ogRule{"og:title", f.Name}.HTML()
-	meta += ogRule{"og:site_name", "pixeldrain"}.HTML()
-	meta += ogRule{"og:description", "View '" + f.Name + "' on pixeldrain"}.HTML()
-	meta += ogRule{"description", "View '" + f.Name + "' on pixeldrain"}.HTML()
-	meta += ogRule{"og:url", "/u/" + f.ID}.HTML()
-	meta += twitterRule{"twitter:title", f.Name}.HTML()
-	meta += twitterRule{"twitter:site", "@Fornax96"}.HTML()
-	meta += twitterRule{"twitter:domain", "pixeldrain.com"}.HTML()
+func metadataFromFile(f apitype.FileInfo) (og ogData) {
+	og.addOG("og:title", f.Name)
+	og.addOG("og:site_name", "pixeldrain")
+	og.addOG("og:description", "View '"+f.Name+"' on pixeldrain")
+	og.addOG("description", "View '"+f.Name+"' on pixeldrain")
+	og.addOG("og:url", "/u/"+f.ID)
+	og.addTwitter("twitter:title", f.Name)
+	og.addTwitter("twitter:site", "@Fornax96")
+	og.addTwitter("twitter:domain", "pixeldrain.com")
 
 	if strings.HasPrefix(f.MimeType, "image") {
-		meta += ogRule{"og:type", "article"}.HTML()
-		meta += ogRule{"og:image", "/api/file/" + f.ID}.HTML()
-		meta += ogRule{"og:image:url", "/api/file/" + f.ID}.HTML()
-		meta += ogRule{"og:image:secure_url", "/api/file/" + f.ID}.HTML()
-		meta += ogRule{"og:image:type", f.MimeType}.HTML()
+		og.addOG("og:type", "article")
+		og.addOG("og:image", "/api/file/"+f.ID)
+		og.addOG("og:image:url", "/api/file/"+f.ID)
+		og.addOG("og:image:secure_url", "/api/file/"+f.ID)
+		og.addOG("og:image:type", f.MimeType)
 
-		meta += twitterRule{"twitter:card", "summary_large_image"}.HTML()
-		meta += twitterRule{"twitter:image", "/api/file/" + f.ID}.HTML()
-		meta += linkRule{"image_src", "/api/file/" + f.ID}.HTML()
+		og.addTwitter("twitter:card", "summary_large_image")
+		og.addTwitter("twitter:image", "/api/file/"+f.ID)
+		og.addLink("image_src", "/api/file/"+f.ID)
 	} else if strings.HasPrefix(f.MimeType, "video") {
-		meta += ogRule{"og:type", "video.other"}.HTML()
-		meta += ogRule{"og:image", "/api/file/" + f.ID + "/thumbnail"}.HTML()
-		meta += ogRule{"og:video", "/api/file/" + f.ID}.HTML()
-		meta += ogRule{"og:video:secure_url", "/api/file/" + f.ID}.HTML()
-		meta += ogRule{"og:video:type", f.MimeType}.HTML()
+		og.addOG("og:type", "video.other")
+		og.addOG("og:image", "/api/file/"+f.ID+"/thumbnail")
+		og.addOG("og:video", "/api/file/"+f.ID)
+		og.addOG("og:video:url", "/api/file/"+f.ID)
+		og.addOG("og:video:secure_url", "/api/file/"+f.ID)
+		og.addOG("og:video:type", f.MimeType)
 
-		meta += twitterRule{"twitter:card", "player"}.HTML()
-		meta += twitterRule{"twitter:image", "/api/file/" + f.ID + "/thumbnail"}.HTML()
-		meta += twitterRule{"twitter:player", "/api/file/" + f.ID}.HTML()
-		meta += twitterRule{"twitter:player:stream", "/api/file/" + f.ID}.HTML()
-		meta += twitterRule{"twitter:player:stream:content_type", f.MimeType}.HTML()
-		meta += linkRule{"image_src", "/api/file/" + f.ID + "/thumbnail"}.HTML()
+		og.addTwitter("twitter:card", "player")
+		og.addTwitter("twitter:image", "/api/file/"+f.ID+"/thumbnail")
+		og.addTwitter("twitter:player", "/api/file/"+f.ID)
+		og.addTwitter("twitter:player:stream", "/api/file/"+f.ID)
+		og.addTwitter("twitter:player:stream:content_type", f.MimeType)
+		og.addLink("image_src", "/api/file/"+f.ID+"/thumbnail")
 	} else if strings.HasPrefix(f.MimeType, "audio") {
-		meta += ogRule{"og:type", "music.song"}.HTML()
-		meta += ogRule{"og:audio", "/api/file/" + f.ID}.HTML()
-		meta += ogRule{"og:audio:secure_url", "/api/file/" + f.ID}.HTML()
-		meta += ogRule{"og:audio:type", f.MimeType}.HTML()
-		meta += linkRule{"image_src", "/api/file/" + f.ID + "/thumbnail"}.HTML()
+		og.addOG("og:type", "music.song")
+		og.addOG("og:audio", "/api/file/"+f.ID)
+		og.addOG("og:audio:secure_url", "/api/file/"+f.ID)
+		og.addOG("og:audio:type", f.MimeType)
+		og.addLink("image_src", "/api/file/"+f.ID+"/thumbnail")
 	} else {
-		meta += ogRule{"og:type", "website"}.HTML()
-		meta += linkRule{"image_src", "/api/file/" + f.ID + "/thumbnail"}.HTML()
+		og.addOG("og:type", "website")
+		og.addLink("image_src", "/api/file/"+f.ID+"/thumbnail")
 	}
-	return meta
+	return og
 }
-func metadataFromList(l apitype.ListInfo) (meta template.HTML) {
-	meta += ogRule{"og:type", "website"}.HTML()
-	meta += ogRule{"og:title", l.Title}.HTML()
-	meta += ogRule{"og:site_name", "pixeldrain"}.HTML()
-	meta += ogRule{"og:description", "View '" + l.Title + "' on pixeldrain"}.HTML()
-	meta += ogRule{"description", "View '" + l.Title + "' on pixeldrain"}.HTML()
-	meta += ogRule{"og:url", "/l/" + l.ID}.HTML()
-	meta += twitterRule{"twitter:title", l.Title}.HTML()
-	meta += twitterRule{"twitter:site", "@Fornax96"}.HTML()
-	meta += twitterRule{"twitter:domain", "pixeldrain.com"}.HTML()
+func metadataFromList(l apitype.ListInfo) (og ogData) {
+	og.addOG("og:type", "website")
+	og.addOG("og:title", l.Title)
+	og.addOG("og:site_name", "pixeldrain")
+	og.addOG("og:description", "View '"+l.Title+"' on pixeldrain")
+	og.addOG("description", "View '"+l.Title+"' on pixeldrain")
+	og.addOG("og:url", "/l/"+l.ID)
+	og.addTwitter("twitter:title", l.Title)
+	og.addTwitter("twitter:site", "@Fornax96")
+	og.addTwitter("twitter:domain", "pixeldrain.com")
 	if l.FileCount > 0 {
-		meta += ogRule{"og:image", "/api/file/" + l.Files[0].ID + "/thumbnail"}.HTML()
-		meta += ogRule{"og:image:url", "/api/file/" + l.Files[0].ID + "/thumbnail"}.HTML()
-		meta += twitterRule{"twitter:image", "/api/file/" + l.Files[0].ID + "/thumbnail"}.HTML()
-		meta += linkRule{"image_src", "/api/file/" + l.Files[0].ID + "/thumbnail"}.HTML()
+		og.addOG("og:image", "/api/file/"+l.Files[0].ID+"/thumbnail")
+		og.addOG("og:image:url", "/api/file/"+l.Files[0].ID+"/thumbnail")
+		og.addTwitter("twitter:image", "/api/file/"+l.Files[0].ID+"/thumbnail")
+		og.addLink("image_src", "/api/file/"+l.Files[0].ID+"/thumbnail")
 	}
-	return meta
+	return og
 }
diff --git a/webcontroller/templates.go b/webcontroller/templates.go
index c453aae..f1587f8 100644
--- a/webcontroller/templates.go
+++ b/webcontroller/templates.go
@@ -34,7 +34,7 @@ type TemplateData struct {
 
 	// Only used on file viewer page
 	Title  string
-	OGData template.HTML
+	OGData ogData
 
 	Other    interface{}
 	URLQuery url.Values