fix(security): potential XSS vulnerabilities (#896)

Author: hshpy

internal/op/storage.go

@@ -3,6 +3,7 @@ package op
 import (
 	"context"
 	"fmt"
+	"reflect"
 	"runtime"
 	"sort"
 	"strings"
@@ -135,7 +136,11 @@ func initStorage(ctx context.Context, storage model.Storage, storageDriver drive
 	}
 	storagesMap.Store(driverStorage.MountPath, storageDriver)
 	if err != nil {
-		driverStorage.SetStatus(err.Error())
+		if IsUseOnlineAPI(storageDriver) {
+			driverStorage.SetStatus(utils.SanitizeHTML(err.Error()))
+		} else {
+			driverStorage.SetStatus(err.Error())
+		}
 		err = errors.Wrap(err, "failed init storage")
 	} else {
 		driverStorage.SetStatus(WORK)
@@ -144,6 +149,24 @@ func initStorage(ctx context.Context, storage model.Storage, storageDriver drive
 	return err
 }
 
+func IsUseOnlineAPI(storageDriver driver.Driver) bool {
+	v := reflect.ValueOf(storageDriver.GetAddition())
+	if v.Kind() == reflect.Ptr {
+		v = v.Elem()
+	}
+	if !v.IsValid() || v.Kind() != reflect.Struct {
+		return false
+	}
+	field_v := v.FieldByName("UseOnlineAPI")
+	if !field_v.IsValid() {
+		return false
+	}
+	if field_v.Kind() != reflect.Bool {
+		return false
+	}
+	return field_v.Bool()
+}
+
 func EnableStorage(ctx context.Context, id uint) error {
 	storage, err := db.GetStorageById(id)
 	if err != nil {

pkg/utils/html.go

@@ -0,0 +1,9 @@
+package utils
+
+import "github.com/microcosm-cc/bluemonday"
+
+var htmlSanitizePolicy = bluemonday.StrictPolicy()
+
+func SanitizeHTML(s string) string {
+	return htmlSanitizePolicy.Sanitize(s)
+}