diff --git a/modules/context/context.go b/modules/context/context.go index 57a91953063a..a77c1dc63021 100644 --- a/modules/context/context.go +++ b/modules/context/context.go @@ -6,6 +6,7 @@ package context import ( "fmt" + "html" "html/template" "io" "net/http" @@ -186,8 +187,10 @@ func Contexter() macaron.Handler { } } - ctx.Data["CsrfToken"] = x.GetToken() - ctx.Data["CsrfTokenHtml"] = template.HTML(``) + ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) + + ctx.Data["CsrfToken"] = html.EscapeString(x.GetToken()) + ctx.Data["CsrfTokenHtml"] = template.HTML(``) log.Debug("Session ID: %s", sess.ID()) log.Debug("CSRF Token: %v", ctx.Data["CsrfToken"]) diff --git a/templates/user/auth/reset_passwd.tmpl b/templates/user/auth/reset_passwd.tmpl index cb124f5b25f4..2408d39a7c9d 100644 --- a/templates/user/auth/reset_passwd.tmpl +++ b/templates/user/auth/reset_passwd.tmpl @@ -13,7 +13,7 @@ {{if .IsResetForm}}