caddy

mirror of https://github.com/caddyserver/caddy.git synced 2026-06-27 20:31:47 +00:00

History

JM Sanchez e2eee6a7fc Some checks failed Tests / test (./cmd/caddy/caddy, ~1.26.0, macos-14, 0, 1.26, mac) (push) Has been cancelled Details Tests / test (./cmd/caddy/caddy, ~1.26.0, ubuntu-latest, 0, 1.26, linux) (push) Has been cancelled Details Tests / test (./cmd/caddy/caddy.exe, ~1.26.0, windows-latest, True, 1.26, windows) (push) Has been cancelled Details Tests / test (s390x on IBM Z) (push) Has been cancelled Details Tests / goreleaser-check (push) Has been cancelled Details Cross-Build / build (~1.26.0, 1.26, aix) (push) Has been cancelled Details Cross-Build / build (~1.26.0, 1.26, darwin) (push) Has been cancelled Details Cross-Build / build (~1.26.0, 1.26, dragonfly) (push) Has been cancelled Details Cross-Build / build (~1.26.0, 1.26, freebsd) (push) Has been cancelled Details Cross-Build / build (~1.26.0, 1.26, illumos) (push) Has been cancelled Details Cross-Build / build (~1.26.0, 1.26, linux) (push) Has been cancelled Details Cross-Build / build (~1.26.0, 1.26, netbsd) (push) Has been cancelled Details Cross-Build / build (~1.26.0, 1.26, openbsd) (push) Has been cancelled Details Cross-Build / build (~1.26.0, 1.26, solaris) (push) Has been cancelled Details Cross-Build / build (~1.26.0, 1.26, windows) (push) Has been cancelled Details Lint / lint (push) Has been cancelled Details Lint / lint-1 (push) Has been cancelled Details Lint / lint-2 (push) Has been cancelled Details Lint / govulncheck (push) Has been cancelled Details Lint / dependency-review (push) Has been cancelled Details OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Has been cancelled Details templates: Patch for GHSA-vcc4-2c75-vc9v (#7785 ) * Patch GHSA-vcc4-2c75-vc9v in stripHTML templates: fix funcStripHTML bypass via depth counter The previous false-start approach allowed XSS bypass via inputs like <<>img src=x onerror=alert(1)> and failed on stacked angle brackets. Replace the tagStart/inTag state machine with a depth counter that mirrors PHP strip_tags behaviour: each '<' increments depth, each '>' decrements it, and text is only emitted at depth zero. Quoted attribute values (both single and double) are tracked so '>' inside href values does not prematurely close a tag. Signed-off-by: JM Sanchez <77505889+jmrcsnchz@users.noreply.github.com> * Update tplcontext_test.go Templates: expand TestStripHTML with attack path coverage Signed-off-by: JM Sanchez <77505889+jmrcsnchz@users.noreply.github.com> --------- Signed-off-by: JM Sanchez <77505889+jmrcsnchz@users.noreply.github.com>		2026-06-01 13:35:02 -06:00
..
caddyfile.go	caddyfile: Normalize & flatten all unmarshalers (#6037 )	2024-01-23 19:36:59 -05:00
frontmatter.go	chore: Use slices package where possible (#6585 )	2024-09-25 14:30:56 -06:00
frontmatter_fuzz.go	core: Windows service integration (#4790 )	2022-07-29 14:06:54 -06:00
templates.go	templates: Explicitly warn about misconfigurations	2026-05-11 16:45:49 -06:00
tplcontext.go	templates: Patch for GHSA-vcc4-2c75-vc9v (#7785 )	2026-06-01 13:35:02 -06:00
tplcontext_test.go	templates: Patch for GHSA-vcc4-2c75-vc9v (#7785 )	2026-06-01 13:35:02 -06:00