From f286387647926537ad0c2f66bf0b0e0bf0d85644 Mon Sep 17 00:00:00 2001 From: Alexander Medvednikov Date: Wed, 11 Dec 2019 03:20:30 +0300 Subject: [PATCH] vweb: secure HttpOnly cookies --- vlib/builtin/string_test.v | 5 +++++ vlib/vweb/tmpl/tmpl.v | 2 +- vlib/vweb/vweb.v | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/vlib/builtin/string_test.v b/vlib/builtin/string_test.v index 9bb7124db9..d16aceb112 100644 --- a/vlib/builtin/string_test.v +++ b/vlib/builtin/string_test.v @@ -233,6 +233,11 @@ fn test_replace_each() { '[code]', '', '[/code]', '' ]) == 'bold code' + bb2 := '[b]cool[/b]' + assert bb2.replace_each([ + '[b]', '', + '[/b]', '', + ]) == 'cool' } fn test_itoa() { diff --git a/vlib/vweb/tmpl/tmpl.v b/vlib/vweb/tmpl/tmpl.v index e75784120d..61ecb34484 100644 --- a/vlib/vweb/tmpl/tmpl.v +++ b/vlib/vweb/tmpl/tmpl.v @@ -76,7 +76,7 @@ _ = header } // HTML, may include `@var` else { - s.writeln(line.replace('@', '\x24').replace('\'', '"') ) + s.writeln(line.replace('@', '\x24').replace("'", '"') ) } } s.writeln(STR_END) diff --git a/vlib/vweb/vweb.v b/vlib/vweb/vweb.v index a422b6fbab..d97802b8a3 100644 --- a/vlib/vweb/vweb.v +++ b/vlib/vweb/vweb.v @@ -74,11 +74,11 @@ pub fn (ctx Context) not_found(s string) { pub fn (ctx mut Context) set_cookie(key, val string) { // TODO support directives, escape cookie value (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie) //println('Set-Cookie $key=$val') - ctx.add_header('Set-Cookie', '$key=$val') + ctx.add_header('Set-Cookie', '$key=$val; Secure; HttpOnly') } pub fn (ctx &Context) get_cookie(key string) ?string { // TODO refactor - cookie_header := ' ' + ctx.get_header('Cookie') + cookie_header := ' ' + ctx.get_header('cookie') cookie := if cookie_header.contains(';') { cookie_header.find_between(' $key=', ';') } else {