mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-10 04:05:42 +01:00
dccf180307
- Fixes an XSS that was introduced in
https://codeberg.org/forgejo/forgejo/pulls/1433
- This XSS allows for `href`s in anchor elements to be set to a
`javascript:` uri in the repository description, which would upon
clicking (and not upon loading) the anchor element execute the specified
javascript in that uri.
- [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description
policy, which ensures that URIs in anchor elements are `mailto:`,
`http://` or `https://` and thereby disallowing the `javascript:` URI.
It also now allows non-relative links and sets `rel="nofollow"` on
anchor elements.
- Unit test added.
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| asciicast | ||
| common | ||
| console | ||
| csv | ||
| external | ||
| markdown | ||
| mdstripper | ||
| orgmode | ||
| tests/repo/repo1_filepreview | ||
| camo.go | ||
| camo_test.go | ||
| file_preview.go | ||
| html.go | ||
| html_internal_test.go | ||
| html_test.go | ||
| renderer.go | ||
| renderer_test.go | ||
| sanitizer.go | ||
| sanitizer_test.go | ||