Browse Source

Document form handling, sanitise reply addresses

tags/v1.0.0
Chris Smith 5 years ago
parent
commit
d33d00df7f
2 changed files with 10 additions and 1 deletions
  1. 4
    0
      README.adoc
  2. 6
    1
      main.go

+ 4
- 0
README.adoc View File

@@ -56,6 +56,10 @@ and `failure.html` respectively. Each is loaded as a https://golang.org/pkg/html
56 56
 can use the templating syntax described there. The form must contain the `{{ .csrfField }}` template field, which
57 57
 will automatically insert the CSRF token for the request.
58 58
 
59
+If the form contains a field named `from`, it will be used in the `Reply-To` header. Otherwise, no
60
+special processing is applied to any field; they are all simply written out to the message body.
61
+No server-side validation is performed.
62
+
59 63
 When running from the docker image, templates are stored in `/templates`; you can
60 64
 replace this with a volume to supply custom templates.
61 65
 

+ 6
- 1
main.go View File

@@ -43,7 +43,12 @@ func handleForm(rw http.ResponseWriter, req *http.Request) {
43 43
 			body += fmt.Sprintf("%s:\r\n%s\r\n\r\n", strings.ToUpper(k), v[0])
44 44
 		}
45 45
 	}
46
-	if sendMail(req.Form.Get("from"), body) {
46
+
47
+	replyTo := req.Form.Get("from")
48
+	replyTo = strings.ReplaceAll(replyTo, "\n", "")
49
+	replyTo = strings.ReplaceAll(replyTo, "\r", "")
50
+
51
+	if sendMail(replyTo, body) {
47 52
 		rw.Header().Add("Location", "success")
48 53
 	} else {
49 54
 		rw.Header().Add("Location", "failure")

Loading…
Cancel
Save