diff --git a/modules/context/context.go b/modules/context/context.go index 57a91953063a..a77c1dc63021 100644 --- a/modules/context/context.go +++ b/modules/context/context.go @@ -6,6 +6,7 @@ package context import ( "fmt" + "html" "html/template" "io" "net/http" @@ -186,8 +187,10 @@ func Contexter() macaron.Handler { } } - ctx.Data["CsrfToken"] = x.GetToken() - ctx.Data["CsrfTokenHtml"] = template.HTML(``) + ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) + + ctx.Data["CsrfToken"] = html.EscapeString(x.GetToken()) + ctx.Data["CsrfTokenHtml"] = template.HTML(``) log.Debug("Session ID: %s", sess.ID()) log.Debug("CSRF Token: %v", ctx.Data["CsrfToken"]) diff --git a/templates/user/auth/reset_passwd.tmpl b/templates/user/auth/reset_passwd.tmpl index cb124f5b25f4..2408d39a7c9d 100644 --- a/templates/user/auth/reset_passwd.tmpl +++ b/templates/user/auth/reset_passwd.tmpl @@ -13,7 +13,7 @@ {{if .IsResetForm}}
- +
diff --git a/templates/user/auth/signin.tmpl b/templates/user/auth/signin.tmpl index b928f2bdb596..85b7e7027753 100644 --- a/templates/user/auth/signin.tmpl +++ b/templates/user/auth/signin.tmpl @@ -15,7 +15,7 @@
- +
diff --git a/templates/user/auth/signup.tmpl b/templates/user/auth/signup.tmpl index 86c020d6bbeb..ca98302ed206 100644 --- a/templates/user/auth/signup.tmpl +++ b/templates/user/auth/signup.tmpl @@ -22,11 +22,11 @@
- +
- +
{{if .EnableCaptcha}}
diff --git a/templates/user/settings/password.tmpl b/templates/user/settings/password.tmpl index 644f4f93165f..dc8b19062f46 100644 --- a/templates/user/settings/password.tmpl +++ b/templates/user/settings/password.tmpl @@ -14,15 +14,15 @@ {{.CsrfTokenHtml}}
- +
- +
- +
@@ -33,7 +33,7 @@

{{$.i18n.Tr "settings.password_change_disabled"}}

- {{end}} + {{end}}