forgejo/modules/markup
Gusted bb448f3dc2
disallow javascript: URI in the repository description
- Fixes an XSS that was introduced in
https://codeberg.org/forgejo/forgejo/pulls/1433
- This XSS allows for `href`s in anchor elements to be set to a
`javascript:` uri in the repository description, which would upon
clicking (and not upon loading) the anchor element execute the specified
javascript in that uri.
- [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description
policy, which ensures that URIs in anchor elements are `mailto:`,
`http://` or `https://` and thereby disallowing the `javascript:` URI.
It also now allows non-relative links and sets `rel="nofollow"` on
anchor elements.
- Unit test added.
2024-08-09 07:04:01 +02:00
..
asciicast
common [GITEA] test markdown CleanValue to prevent regression 2024-02-05 16:09:41 +01:00
console Add testifylint to lint checks (#4535) 2024-07-30 19:41:10 +00:00
csv Add testifylint to lint checks (#4535) 2024-07-30 19:41:10 +00:00
external Rework markup link rendering (#26745) 2024-01-15 08:49:24 +00:00
markdown Add testifylint to lint checks (#4535) 2024-07-30 19:41:10 +00:00
mdstripper Resolve lint for unused parameter and unnecessary type arguments (#30750) 2024-05-05 08:38:16 +01:00
orgmode Add testifylint to lint checks (#4535) 2024-07-30 19:41:10 +00:00
tests/repo/repo1_filepreview Update test 2024-03-28 04:20:13 +01:00
camo.go
camo_test.go
file_preview.go Fix issue where rendering stops after the first invalid parmalink 2024-04-19 18:21:21 +02:00
html.go [BUG] Render references to cross-repo issues with external issues 2024-08-07 03:19:26 +02:00
html_internal_test.go [BUG] Render references to cross-repo issues with external issues 2024-08-07 03:19:26 +02:00
html_test.go Add testifylint to lint checks (#4535) 2024-07-30 19:41:10 +00:00
renderer.go [CHORE] Remove github.com/yuin/goldmark-meta 2024-07-07 03:18:13 +02:00
renderer_test.go
sanitizer.go disallow javascript: URI in the repository description 2024-08-09 07:04:01 +02:00
sanitizer_test.go disallow javascript: URI in the repository description 2024-08-09 07:04:01 +02:00