forgejo/modules
Gusted dccf180307 disallow javascript: URI in the repository description
- Fixes an XSS that was introduced in
https://codeberg.org/forgejo/forgejo/pulls/1433
- This XSS allows for `href`s in anchor elements to be set to a
`javascript:` uri in the repository description, which would upon
clicking (and not upon loading) the anchor element execute the specified
javascript in that uri.
- [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description
policy, which ensures that URIs in anchor elements are `mailto:`,
`http://` or `https://` and thereby disallowing the `javascript:` URI.
It also now allows non-relative links and sets `rel="nofollow"` on
anchor elements.
- Unit test added.

(cherry picked from commit bb448f3dc2)
2024-08-09 05:57:21 +00:00
..
actions enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
activitypub enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
analyze Rename code_langauge.go to code_language.go (#26377) 2023-08-07 15:00:53 -04:00
assetfs enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
auth enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
avatar enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
base enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
cache enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
charset enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
container Add container.FilterSlice function (gitea#30339) 2024-04-16 11:49:44 +02:00
csv enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
emoji Update emoji set to Unicode 15 (#25595) 2023-06-29 16:29:48 +00:00
eventsource Final round of db.DefaultContext refactor (#27587) 2023-10-14 08:37:24 +00:00
forgefed fix review 2024-05-29 18:31:06 +02:00
generate enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
git enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
gitgraph Add codespell support and fix a good number of typos with its help (#3270) 2024-05-09 13:49:37 +00:00
gitrepo Move get/set default branch from git package to gitrepo package to hide repopath (#29126) 2024-03-11 23:36:59 +07:00
graceful enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
hcaptcha
highlight enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
hostmatcher Support allowed hosts for webhook to work with proxy (#27655) 2023-10-18 09:44:36 +00:00
html Refactor backend SVG package and add tests (#26335) 2023-08-05 04:34:59 +00:00
httpcache [BRANDING] add X-Forgejo-* headers 2024-02-05 16:02:14 +01:00
httplib enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
indexer enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
issue/template Support setting the default attribute of the issue template dropdown field (#31045) 2024-05-26 20:13:09 +02:00
json Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
label
lfs enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
log enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
markup disallow javascript: URI in the repository description 2024-08-09 05:57:21 +00:00
mcaptcha
metrics Rename project board -> column to make the UI less confusing (#30170) 2024-06-02 09:42:39 +02:00
migration enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
nosql s/Gitea/Forgejo in various log messages and comments 2024-04-21 21:26:15 +05:00
optional enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
options
packages enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
paginator Use more specific test methods (#24265) 2023-04-22 17:56:27 -04:00
pprof
private fix(hook): ignore unknown push options instead of failing 2024-07-02 20:18:33 +00:00
process Add codespell support and fix a good number of typos with its help (#3270) 2024-05-09 13:49:37 +00:00
proxy
proxyprotocol
public Refactor CORS handler (#28587) 2023-12-25 20:13:18 +08:00
queue enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
recaptcha
references enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
regexplru enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
repository enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
secret enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
session Avoid importing modules/web/middleware in modules/session (#30584) 2024-04-21 16:28:16 +02:00
setting enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
sitemap enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
ssh Remove SSH workaround (#27893) 2023-11-03 15:21:05 +00:00
storage enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
structs enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
svg Refactor backend SVG package and add tests (#26335) 2023-08-05 04:34:59 +00:00
sync
system enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
templates enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
test test(util): MockProtect when mocking multiple times 2024-06-02 15:24:06 +02:00
testlogger Add codespell support and fix a good number of typos with its help (#3270) 2024-05-09 13:49:37 +00:00
timeutil Remove the time-since class (#29826) 2024-03-20 08:46:30 +01:00
translation enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
turnstile
typesniffer enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
updatechecker enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
uri enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
user enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
util enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
validation added validation fixes 2024-05-14 08:31:34 +02:00
web enable linter testifylint on v8 (#4573) 2024-07-30 19:41:27 +00:00
webhook Add support for workflow_dispatch (#3334) 2024-06-28 05:17:11 +00:00