Fix Markdown preview (#368)

This commit is contained in:
Thomas Miceli 2024-11-02 01:05:43 +01:00 committed by GitHub
parent 97b9fa1100
commit d537153785
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 11 additions and 6 deletions

View file

@ -37,7 +37,7 @@ var CmdStart = cli.Command{
Initialize(ctx) Initialize(ctx)
go web.NewServer(os.Getenv("OG_DEV") == "1", path.Join(config.GetHomeDir(), "sessions")).Start() go web.NewServer(os.Getenv("OG_DEV") == "1", path.Join(config.GetHomeDir(), "sessions"), false).Start()
go ssh.Start() go ssh.Start()
<-stopCtx.Done() <-stopCtx.Done()

View file

@ -164,7 +164,7 @@ type Server struct {
dev bool dev bool
} }
func NewServer(isDev bool, sessionsPath string) *Server { func NewServer(isDev bool, sessionsPath string, ignoreCsrf bool) *Server {
dev = isDev dev = isDev
flashStore = sessions.NewCookieStore([]byte("opengist")) flashStore = sessions.NewCookieStore([]byte("opengist"))
encryptKey, _ := utils.GenerateSecretKey(filepath.Join(sessionsPath, "session-encrypt.key")) encryptKey, _ := utils.GenerateSecretKey(filepath.Join(sessionsPath, "session-encrypt.key"))
@ -245,15 +245,16 @@ func NewServer(isDev bool, sessionsPath string) *Server {
// Web based routes // Web based routes
g1 := e.Group("") g1 := e.Group("")
{ {
if !dev { if !ignoreCsrf {
g1.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{ g1.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
TokenLookup: "form:_csrf,header:X-CSRF-Token", TokenLookup: "form:_csrf,header:X-CSRF-Token",
CookiePath: "/", CookiePath: "/",
CookieHTTPOnly: true, CookieHTTPOnly: true,
CookieSameSite: http.SameSiteStrictMode, CookieSameSite: http.SameSiteStrictMode,
})) }))
g1.Use(csrfInit)
} }
g1.Use(csrfInit)
g1.GET("/", create, logged) g1.GET("/", create, logged)
g1.POST("/", processCreate, logged) g1.POST("/", processCreate, logged)
g1.POST("/preview", preview, logged) g1.POST("/preview", preview, logged)

View file

@ -33,7 +33,7 @@ type testServer struct {
func newTestServer() (*testServer, error) { func newTestServer() (*testServer, error) {
s := &testServer{ s := &testServer{
server: web.NewServer(true, path.Join(config.GetHomeDir(), "tmp", "sessions")), server: web.NewServer(true, path.Join(config.GetHomeDir(), "tmp", "sessions"), true),
} }
go s.start() go s.start()

View file

@ -73,10 +73,14 @@ document.addEventListener("DOMContentLoaded", () => {
} else { } else {
const formData = new FormData(); const formData = new FormData();
formData.append('content', editor.state.doc.toString()); formData.append('content', editor.state.doc.toString());
let csrf = document.querySelector<HTMLInputElement>('form#create input[name="_csrf"]').value
fetch(`${baseUrl}/preview`, { fetch(`${baseUrl}/preview`, {
method: 'POST', method: 'POST',
credentials: 'same-origin', credentials: 'same-origin',
body: formData body: formData,
headers: {
'X-CSRF-Token': csrf
}
}).then(r => r.text()).then(r => { }).then(r => r.text()).then(r => {
let divpreview = dom.querySelector("div.preview") as HTMLElement; let divpreview = dom.querySelector("div.preview") as HTMLElement;
divpreview!.innerHTML = r; divpreview!.innerHTML = r;