safe login

Co-Authored-By: Alireza Ahmadi <alireza7@gmail.com>

1 files changed, 8 insertions, 4 deletions

diff --git a/web/controller/index.go b/web/controller/index.go
index c4fe5eb2..35c10c65 100644
--- a/web/controller/index.go
+++ b/web/controller/index.go
@@ -2,6 +2,7 @@ package controller
 
 import (
 	"net/http"
+	"text/template"
 	"time"
 
 	"x-ui/logger"
@@ -64,14 +65,17 @@ func (a *IndexController) login(c *gin.Context) {
 
 	user := a.userService.CheckUser(form.Username, form.Password, form.LoginSecret)
 	timeStr := time.Now().Format("2006-01-02 15:04:05")
+	safeUser := template.HTMLEscapeString(form.Username)
+	safePass := template.HTMLEscapeString(form.Password)
+	safeSecret := template.HTMLEscapeString(form.LoginSecret)
 	if user == nil {
-		logger.Warningf("wrong username or password or secret: \"%s\" \"%s\" \"%s\"", form.Username, form.Password, form.LoginSecret)
-		a.tgbot.UserLoginNotify(form.Username, form.Password, getRemoteIp(c), timeStr, 0)
+		logger.Warningf("wrong username or password or secret: \"%s\" \"%s\" \"%s\"", safeUser, safePass, safeSecret)
+		a.tgbot.UserLoginNotify(safeUser, safePass, getRemoteIp(c), timeStr, 0)
 		pureJsonMsg(c, http.StatusOK, false, I18nWeb(c, "pages.login.toasts.wrongUsernameOrPassword"))
 		return
 	} else {
-		logger.Infof("%s logged in successfully, Ip Address: %s\n", form.Username, getRemoteIp(c))
-		a.tgbot.UserLoginNotify(form.Username, ``, getRemoteIp(c), timeStr, 1)
+		logger.Infof("%s logged in successfully, Ip Address: %s\n", safeUser, getRemoteIp(c))
+		a.tgbot.UserLoginNotify(safeUser, ``, getRemoteIp(c), timeStr, 1)
 	}
 
 	sessionMaxAge, err := a.settingService.GetSessionMaxAge()