fixed file upload box getting too wide, file link issues, and message XSS vulnerabilities

html/css/global/img.css

@@ -243,4 +243,8 @@ div.file-deleted-box {
 	float: left;
 	margin:4px 8px;
 	border-width: 2px;
+}
+
+input[type=file] {
+	max-width: 275px;
 }

src/posting.go

@@ -7,6 +7,7 @@ import (
 	"io/ioutil"
 	"errors"
 	"fmt"
+	"html"
 	"image"
 	"image/jpeg"
 	"image/gif"
@@ -54,7 +55,6 @@ func buildBoardPages(boardid int, boards []BoardsTable, sections []interface{})
 		op_posts = make([]interface{},0)
 	}
 
-	// yes I know there's a better way to do this, minimizing the number of sql statements made, sorting and splitting it in the code, but I'll fix that later
 	for _,op_post_i := range op_posts {
 		var thread Thread
 		var posts_in_thread []interface{}
@@ -68,11 +68,6 @@ func buildBoardPages(boardid int, boards []BoardsTable, sections []interface{})
 		} else {
 			limit = config.RepliesOnBoardpage
 		}
-
-		/*err = db.QueryRow("SELECT * FROM (SELECT * FROM `"+config.DBprefix+"posts` WHERE `boardid` = "+strconv.Itoa(board.ID)+" AND `id` = "+strconv.Itoa(op_post.ID)+" AND `parentid` = "+strconv.Itoa(op_post.ID)+" ORDER BY `id` DESC LIMIT "+strconv.Itoa(config.StickyRepliesOnBoardPage)+" ORDER BY `id` ASC").Scan(&thread.OP)
-		if err != nil {
-			html += err.Error()+"<br />"
-		}*/
 		
 		posts_in_thread,err = getPostArr("SELECT * FROM `"+config.DBprefix+"posts` WHERE `boardid` = "+strconv.Itoa(board.ID)+" AND `parentid` = "+strconv.Itoa(op_post.ID)+" LIMIT "+strconv.Itoa(limit))
 		if err != nil {
@@ -387,7 +382,7 @@ func makePost(w http.ResponseWriter, r *http.Request) {
 	}
 
 	post.Subject = escapeString(request.FormValue("postsubject"))
-	post.Message = escapeString(request.FormValue("postmsg"))
+	post.Message = html.EscapeString(escapeString(request.FormValue("postmsg")))
 	post.Password = md5_sum(request.FormValue("postpassword"))
 	http.SetCookie(writer, &http.Cookie{Name: "name", Value: post.Name, Path: "/", Domain: config.Domain, RawExpires: getSpecificSQLDateTime(time.Now().Add(time.Duration(31536000))),MaxAge: 31536000})
 	http.SetCookie(writer, &http.Cookie{Name: "email", Value: post.Email, Path: "/", Domain: config.Domain, RawExpires: getSpecificSQLDateTime(time.Now().Add(time.Duration(31536000))),MaxAge: 31536000})
@@ -422,7 +417,7 @@ func makePost(w http.ResponseWriter, r *http.Request) {
 			if thumb_filetype == "gif" {
 				thumb_filetype = "jpg"
 			}
-
+			post.FilenameOriginal = escapeString(post.FilenameOriginal)
 			post.Filename = getNewFilename()+"."+getFiletype(post.FilenameOriginal)
 			board_dir := getBoardArr("`id` = "+request.FormValue("boardid"))[0].Dir
 			file_path := path.Join(config.DocumentRoot,"/"+board_dir+"/src/",post.Filename)

src/server.go

@@ -88,11 +88,10 @@ func utilHandler(writer http.ResponseWriter, request *http.Request) {
 		return
 	}
 	var posts_arr []string
-	for key,value := range request.PostForm {
+	for key,_ := range request.PostForm {
 		if strings.Index(key,"check") == 0 {
 			posts_arr = append(posts_arr,key[5:])
 		}
-		fmt.Printf("%s: %s\n",key,value)
 	}
 	if request.PostFormValue("delete_btn") == "Delete" {
 		file_only := request.FormValue("fileonly") == "on"

src/template.go

@@ -67,6 +67,15 @@ var funcMap = template.FuncMap{
 	"formatTimestamp": func(timestamp time.Time) string {
 		return humanReadableTime(timestamp)
 	},
+	"getThreadID": func(post_i interface{}) (thread int) {
+		post := post_i.(PostTable)
+		if post.ParentID == 0 {
+			thread = post.ID
+		} else {
+			thread = post.ParentID
+		}
+		return
+	},
 	"getThumbnailFilename": func(name string) string {
 		filetype := name[len(name)-4:]
 		if filetype == ".gif" || filetype == ".GIF" {

templates/img_boardpage.html

@@ -51,43 +51,41 @@
 	<div id="content">
 		<form action="/util" method="POST" id="main-form">
 			{{range $t, $thread := $thread_arr.Data}}
-				
-					{{$post := $thread.OP}}
-					<div class="thread" id="{{$post.ID}}">
-						{{if stringNeq $post.Filename ""}}
-							{{if stringNeq $post.Filename "deleted"}}
-								<span class="file-info">File: <a href="{{$board.Dir}}/src/{{$post.Filename}}">{{$post.Filename}}</a> - ({{formatFilesize $post.Filesize}} , {{$post.ImageW}}x{{$post.ImageH}}, {{$post.FilenameOriginal}} )</span><br />
-							{{end}}
-							{{if stringEq $post.Filename "deleted"}}
-								<div class="file-deleted-box">
-									<center>File removed</center>
-								</div>
-							{{else}}
-								<a href="{{$config.SiteWebfolder}}{{$board.Dir}}/src/{{$post.Filename}}" target="_blank"><img src="{{$config.SiteWebfolder}}{{$board.Dir}}/thumb/{{imageToThumbnailPath $post.Filename}}" width="{{$post.ThumbW}}" height="{{$post.ThumbH}}" class="thumbnail" /></a>
-							{{end}}
+				{{$post := $thread.OP}}
+				<div class="thread" id="{{$post.ID}}">
+					{{if stringNeq $post.Filename ""}}
+						{{if stringNeq $post.Filename "deleted"}}
+							<span class="file-info">File: <a href="src/{{$post.Filename}}">{{$post.Filename}}</a> - ({{formatFilesize $post.Filesize}} , {{$post.ImageW}}x{{$post.ImageH}}, {{$post.FilenameOriginal}} )</span><br />
 						{{end}}
-						<label class="post-info"><input type="checkbox" id="{{$post.ID}}" name="check{{$post.ID}}" /> <span class="postername">{{if stringEq $post.Name ""}}{{$board.Anonymous}}{{else}}{{$post.Name}}{{end}}</span>{{if stringNeq $post.Tripcode ""}}<span class="tripcode">!{{$post.Tripcode}}</span>{{end}} {{formatTimestamp $post.Timestamp}} <a href="135693079632">No.</a> <a href="{{$post.ID}}i">{{$post.ID}}</a></label> <span class="post-links"><span class="thread-ddown">[<a href="javascript:void(0)">&#9660;</a>]</span></span><br />
-						<div class="posttext">
-							{{$post.Message}}<br />
-							{{if gt $thread.NumReplies 3}}
-								<b>{{subtract $thread.NumReplies 3}} post{{if gt $thread.NumReplies 4}}s{{end}} omitted</b>
-							{{end}}
-						</div>
-						{{range $r, $reply := $thread.BoardReplies}}
-							<div class="post" id="{{$reply.ID}}">
-								<label class="post-info"><input type="checkbox" id="{{$reply.ID}}" name="check{{$reply.ID}}" /> <span class="postername">{{if stringEq $reply.Name ""}}{{$board.Anonymous}}{{else}}{{$reply.Name}}{{end}}</span>{{if stringNeq $reply.Tripcode ""}}<span class="tripcode">!{{$reply.Tripcode}}</span>{{end}} {{formatTimestamp $reply.Timestamp}} <a href="135693079632">No.</a> <a href="{{$reply.ID}}i">{{$reply.ID}}</a></label> <span class="post-links"><span class="thread-ddown">[<a href="javascript:void(0)">&#9660;</a>]</span></span><br />
-								{{if stringNeq $reply.Filename ""}}
-									<span class="file-info">File: <a href="{{$board.Dir}}/src/{{$reply.Filename}}">{{$reply.Filename}}</a> - ({{formatFilesize $reply.Filesize}} , {{$reply.ImageW}},{{$reply.ImageH}}, {{$reply.FilenameOriginal}} )</span><br />
-									<a href="{{$config.SiteWebfolder}}{{$board.Dir}}/src/{{$reply.Filename}}" target="_blank"><img src="{{$config.SiteWebfolder}}{{$board.Dir}}/thumb/{{imageToThumbnailPath $reply.Filename}}" width="{{$reply.ThumbW}}" height="{{$reply.ThumbH}}" class="thumbnail" /></a>
-								{{end}}
-								<div class="posttext">
-									{{$reply.Message}}
-								</div>
+						{{if stringEq $post.Filename "deleted"}}
+							<div class="file-deleted-box">
+								<center>File removed</center>
 							</div>
+						{{else}}
+							<a href="{{$config.SiteWebfolder}}{{$board.Dir}}/src/{{$post.Filename}}" target="_blank"><img src="{{$config.SiteWebfolder}}{{$board.Dir}}/thumb/{{imageToThumbnailPath $post.Filename}}" width="{{$post.ThumbW}}" height="{{$post.ThumbH}}" class="thumbnail" /></a>
 						{{end}}
+					{{end}}
+					<label class="post-info"><input type="checkbox" id="{{$post.ID}}" name="check{{$post.ID}}" /> <span class="postername">{{if stringEq $post.Name ""}}{{$board.Anonymous}}{{else}}{{$post.Name}}{{end}}</span>{{if stringNeq $post.Tripcode ""}}<span class="tripcode">!{{$post.Tripcode}}</span>{{end}} {{formatTimestamp $post.Timestamp}} <a href="res/{{getThreadID $post}}.html">No.</a> <a href="res/{{getThreadID $post}}.html#{{$post.ID}}i">{{$post.ID}}</a></label> <span class="post-links"><span class="thread-ddown">[<a href="javascript:void(0)">&#9660;</a>]</span> [<a href="res/{{$post.ID}}.html">View</a>]</span><br />
+					<div class="posttext">
+						{{$post.Message}}<br />
+						{{if gt $thread.NumReplies 3}}
+							<b>{{subtract $thread.NumReplies 3}} post{{if gt $thread.NumReplies 4}}s{{end}} omitted</b>
+						{{end}}
+					</div>
+					{{range $r, $reply := $thread.BoardReplies}}
+						<div class="post" id="{{$reply.ID}}">
+							<label class="post-info"><input type="checkbox" id="{{$reply.ID}}" name="check{{$reply.ID}}" /> <span class="postername">{{if stringEq $reply.Name ""}}{{$board.Anonymous}}{{else}}{{$reply.Name}}{{end}}</span>{{if stringNeq $reply.Tripcode ""}}<span class="tripcode">!{{$reply.Tripcode}}</span>{{end}} {{formatTimestamp $reply.Timestamp}} <a href="res/{{getThreadID $post}}.html">No.</a> <a href="res/{{getThreadID $reply}}.html#{{$reply.ID}}i">{{$reply.ID}}</a></label> <span class="post-links"><span class="thread-ddown">[<a href="javascript:void(0)">&#9660;</a>]</span></span><br />
+							{{if stringNeq $reply.Filename ""}}
+								<span class="file-info">File: <a href="src/{{$reply.Filename}}">{{$reply.Filename}}</a> - ({{formatFilesize $reply.Filesize}} , {{$reply.ImageW}},{{$reply.ImageH}}, {{$reply.FilenameOriginal}} )</span><br />
+								<a href="{{$config.SiteWebfolder}}{{$board.Dir}}/src/{{$reply.Filename}}" target="_blank"><img src="{{$config.SiteWebfolder}}{{$board.Dir}}/thumb/{{imageToThumbnailPath $reply.Filename}}" width="{{$reply.ThumbW}}" height="{{$reply.ThumbH}}" class="thumbnail" /></a>
+							{{end}}
+							<div class="posttext">
+								{{$reply.Message}}
+							</div>
 						</div>
-						<hr />
-				
+					{{end}}
+				</div>
+				<hr />
 			{{end}}
 
 			<div id="left-bottom-content">

templates/img_thread.html

@@ -56,7 +56,7 @@
 	<div id="content">
 		<form action="/util" method="POST" id="main-form">
 		<div class="thread" id="{{$op.ID}}">{{range $post_num,$post := $post_arr}}{{if intEq $post_num 0}}
-			{{if stringNeq $post.Filename ""}}{{if stringNeq $post.Filename "deleted"}}<span class="file-info">File: <a href="{{$board.Dir}}/src/{{$post.Filename}}">{{$post.Filename}}</a> - ({{formatFilesize $post.Filesize}} , {{$post.ImageW}}x{{$post.ImageH}}, {{$post.FilenameOriginal}} )</span><br />{{end}}
+			{{if stringNeq $post.Filename ""}}{{if stringNeq $post.Filename "deleted"}}<span class="file-info">File: <a href="../src/{{$post.Filename}}">{{$post.Filename}}</a> - ({{formatFilesize $post.Filesize}} , {{$post.ImageW}}x{{$post.ImageH}}, {{$post.FilenameOriginal}} )</span><br />{{end}}
 				{{if stringEq $post.Filename "deleted"}}<div class="file-deleted-box"><center>File removed</center></div>{{else}}<a href="{{$config.SiteWebfolder}}{{$board.Dir}}/src/{{$post.Filename}}" target="_blank"><img src="{{$config.SiteWebfolder}}{{$board.Dir}}/thumb/{{imageToThumbnailPath $post.Filename}}" width="{{$post.ThumbW}}" height="{{$post.ThumbH}}" class="thumbnail" /></a>{{end}}{{end}}
 			<label class="post-info"><input type="checkbox" id="{{$post.ID}}" name="check{{$post.ID}}" /> <span class="subject">{{$post.Subject}}</span> <span class="postername">{{if stringNeq $post.Email ""}}<a href="mailto:{{$post.Email}}">{{if stringEq $post.Name ""}}{{$board.Anonymous}}{{else}}{{$post.Name}}{{end}}</a>{{end}}</span>{{if stringNeq $post.Tripcode ""}}<span class="tripcode">!{{$post.Tripcode}}</span>{{end}} {{formatTimestamp $post.Timestamp}} <a href="/{{$board.Dir}}/res/{{$post.ID}}.html#{{$post.ID}}">No.</a> <a href="/{{$board.Dir}}/res/{{$post.ID}}.html#i{{$post.ID}}">{{$post.ID}}</a></label> <span class="post-links"> <span class="thread-ddown">[<a href="javascript:void(0)">&#9660;</a>]</span></span><br />
 			<div class="posttext">
@@ -64,7 +64,7 @@
 			</div>{{else}}
 			<div class="post" id="{{$post.ID}}">
 				<label class="post-info"><input type="checkbox" id="{{$post.ID}}" name="check{{$post.ID}}" /> <span class="postername">{{if stringEq $post.Name ""}}{{$board.Anonymous}}{{else}}{{$post.Name}}{{end}}</span>{{if stringNeq $post.Tripcode ""}}<span class="tripcode">!{{$post.Tripcode}}</span>{{end}} {{formatTimestamp $post.Timestamp}} <a href="135693079632">No.</a> <a href="{{$post.ID}}i">{{$post.ID}}</a></label> <span class="post-links"><span class="thread-ddown">[<a href="javascript:void(0)">&#9660;</a>]</span></span><br />
-				{{if stringNeq $post.Filename ""}}<span class="file-info">File: <a href="{{$config.SiteWebfolder}}{{$board.Dir}}/src/{{$post.Filename}}">{{$post.Filename}}</a> - ({{formatFilesize $post.Filesize}} , {{$post.ImageW}}x{{$post.ImageH}}, {{$post.FilenameOriginal}} )</span><br />
+				{{if stringNeq $post.Filename ""}}<span class="file-info">File: <a href="../src/{{$post.Filename}}">{{$post.Filename}}</a> - ({{formatFilesize $post.Filesize}} , {{$post.ImageW}}x{{$post.ImageH}}, {{$post.FilenameOriginal}} )</span><br />
 				<a href="{{$config.SiteWebfolder}}{{$board.Dir}}/src/{{$post.Filename}}" target="_blank"><img src="{{$config.SiteWebfolder}}{{$board.Dir}}/thumb/{{imageToThumbnailPath $post.Filename}}" width="{{$post.ThumbW}}" height="{{$post.ThumbH}}" class="thumbnail" /></a>{{end}}
 
 				<div class="posttext">