mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-09-20 13:05:57 +02:00
bb448f3dc2
- Fixes an XSS that was introduced in https://codeberg.org/forgejo/forgejo/pulls/1433 - This XSS allows for `href`s in anchor elements to be set to a `javascript:` uri in the repository description, which would upon clicking (and not upon loading) the anchor element execute the specified javascript in that uri. - [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description policy, which ensures that URIs in anchor elements are `mailto:`, `http://` or `https://` and thereby disallowing the `javascript:` URI. It also now allows non-relative links and sets `rel="nofollow"` on anchor elements. - Unit test added. |
||
|---|---|---|
| .. | ||
| asciicast | ||
| common | ||
| console | ||
| csv | ||
| external | ||
| markdown | ||
| mdstripper | ||
| orgmode | ||
| tests/repo/repo1_filepreview | ||
| camo.go | ||
| camo_test.go | ||
| file_preview.go | ||
| html.go | ||
| html_internal_test.go | ||
| html_test.go | ||
| renderer.go | ||
| renderer_test.go | ||
| sanitizer.go | ||
| sanitizer_test.go | ||