dutchcoders/transfer.sh
1
0
Fork 0
mirror of https://github.com/dutchcoders/transfer.sh.git synced 2026-02-03 06:03:25 +00:00
Code Issues 48 Actions Packages Projects Releases Wiki Activity

Opening uploaded html file link to browser causes browser to execute the javascript in the file #389

New Issue
Closed
opened 2026-01-19 18:30:08 +00:00 by michael · 2 comments
michael commented 2026-01-19 18:30:08 +00:00
Owner
Copy Link

Originally created by @minhaz1 on GitHub.

When you upload an html file and open the given url in the browser (tested on Chrome) the javascript that was in the file executes. For example, below I have an html file that redirects the user to another website, so when I open the link to the file on transfer.sh it ends up executing the redirect code instead of just showing me a preview.

Sample code:

<!DOCTYPE HTML>
<html lang="en-US">
    <head>
        <meta charset="UTF-8">
        <meta http-equiv="refresh" content="1;url=http://www.sample.com">
        <script type="text/javascript">
            window.location.href = "http://www.sample.com"
        </script>
        <title>Page Redirection</title>
    </head>
    <body>
        <!-- Note: don't tell people to `click` the link, just tell them that it is a link. -->
        If you are not redirected automatically, follow the <a href='http://www.sample.com'>link to sample</a>
    </body>
</html>
Originally created by @minhaz1 on GitHub. When you upload an html file and open the given url in the browser (tested on Chrome) the javascript that was in the file executes. For example, below I have an html file that redirects the user to another website, so when I open the link to the file on transfer.sh it ends up executing the redirect code instead of just showing me a preview. Sample code: ``` <!DOCTYPE HTML> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta http-equiv="refresh" content="1;url=http://www.sample.com"> <script type="text/javascript"> window.location.href = "http://www.sample.com" </script> <title>Page Redirection</title> </head> <body> <!-- Note: don't tell people to `click` the link, just tell them that it is a link. --> If you are not redirected automatically, follow the <a href='http://www.sample.com'>link to sample</a> </body> </html> ```
michael commented 2026-01-19 18:30:09 +00:00
Author
Owner
Copy Link

@nl5887 commented on GitHub:

Good one, will fix this.

@nl5887 commented on GitHub: Good one, will fix this.
michael commented 2026-01-19 18:30:09 +00:00
Author
Owner
Copy Link

@johnko commented on GitHub:

-content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", data))
+content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", html.EscapeString(data)))
@johnko commented on GitHub: ``` -content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", data)) +content = html_template.HTML(fmt.Sprintf("<pre>%s</pre>", html.EscapeString(data))) ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
docker
enhancement
hacktoberfest
help wanted
invalid
question
storage provider
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dutchcoders/transfer.sh#389
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?