mirror of
1
Fork 0
forgejo/modules/markup
Gusted dccf180307 disallow javascript: URI in the repository description
- Fixes an XSS that was introduced in
https://codeberg.org/forgejo/forgejo/pulls/1433
- This XSS allows for `href`s in anchor elements to be set to a
`javascript:` uri in the repository description, which would upon
clicking (and not upon loading) the anchor element execute the specified
javascript in that uri.
- [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description
policy, which ensures that URIs in anchor elements are `mailto:`,
`http://` or `https://` and thereby disallowing the `javascript:` URI.
It also now allows non-relative links and sets `rel="nofollow"` on
anchor elements.
- Unit test added.

(cherry picked from commit bb448f3dc2)
2024-08-09 05:57:21 +00:00
..
asciicast Support asciicast files as new markup (#22448) 2023-01-18 08:46:58 +08:00
common [GITEA] test markdown CleanValue to prevent regression 2024-02-05 16:09:41 +01:00
console enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
csv enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
external Rework markup link rendering (#26745) 2024-01-15 08:49:24 +00:00
markdown enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
mdstripper Resolve lint for unused parameter and unnecessary type arguments (#30750) 2024-05-05 08:38:16 +01:00
orgmode enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
tests/repo/repo1_filepreview Update test 2024-03-28 04:20:13 +01:00
camo.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
camo_test.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
file_preview.go Fix issue where rendering stops after the first invalid parmalink 2024-04-19 18:21:21 +02:00
html.go [BUG] Render references to cross-repo issues with external issues 2024-08-07 05:43:24 +00:00
html_internal_test.go [BUG] Render references to cross-repo issues with external issues 2024-08-07 05:43:24 +00:00
html_test.go enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
renderer.go Merge pull request 'Render inline file permalinks' (#2669) from Mai-Lapyst/forgejo:markup-add-filepreview into forgejo 2024-04-01 13:57:01 +00:00
renderer_test.go Move `IsReadmeFile*` from `modules/markup/` to `modules/util` (#22877) 2023-02-13 15:01:09 -05:00
sanitizer.go disallow javascript: URI in the repository description 2024-08-09 05:57:21 +00:00
sanitizer_test.go disallow javascript: URI in the repository description 2024-08-09 05:57:21 +00:00