summaryrefslogtreecommitdiff
path: root/internal/handlers
diff options
context:
space:
mode:
authorPeter Stone <thepeterstone@gmail.com>2026-01-26 07:01:25 -1000
committerPeter Stone <thepeterstone@gmail.com>2026-01-26 07:01:25 -1000
commit8c2c88f90039e87b29ce32cd31b7b0361b5803d0 (patch)
tree6099e498084b876d343b071bbdf2cb62838eae7d /internal/handlers
parentf5b997bfc4c77ef262726d14b30d387eb7acd1c6 (diff)
Phase 1: Critical security fixes
- Remove default password fallback - require DEFAULT_PASS in all environments - Fix XSS vulnerabilities in HTML generation (handlers.go:795,920) - Add security headers middleware (X-Frame-Options, CSP, HSTS, etc.) - Add rate limiting on login endpoint (5 req/15min per IP) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Diffstat (limited to 'internal/handlers')
-rw-r--r--internal/handlers/handlers.go8
1 files changed, 6 insertions, 2 deletions
diff --git a/internal/handlers/handlers.go b/internal/handlers/handlers.go
index a169478..635a69d 100644
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -792,7 +792,9 @@ func (h *Handler) HandleGetListsOptions(w http.ResponseWriter, r *http.Request)
w.Header().Set("Content-Type", "text/html")
for _, list := range lists {
- _, _ = fmt.Fprintf(w, `<option value="%s">%s</option>`, list.ID, list.Name)
+ _, _ = fmt.Fprintf(w, `<option value="%s">%s</option>`,
+ template.HTMLEscapeString(list.ID),
+ template.HTMLEscapeString(list.Name))
}
}
@@ -917,7 +919,9 @@ func (h *Handler) HandleGetShoppingLists(w http.ResponseWriter, r *http.Request)
w.Header().Set("Content-Type", "text/html")
for _, list := range lists {
- _, _ = fmt.Fprintf(w, `<option value="%s">%s</option>`, list.ID, list.Name)
+ _, _ = fmt.Fprintf(w, `<option value="%s">%s</option>`,
+ template.HTMLEscapeString(list.ID),
+ template.HTMLEscapeString(list.Name))
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2026-03-28 09:24:37 +0000