mirror of
https://codeberg.org/forgejo/forgejo
synced 2024-11-25 11:16:11 +01:00
bb448f3dc2
- Fixes an XSS that was introduced in https://codeberg.org/forgejo/forgejo/pulls/1433 - This XSS allows for `href`s in anchor elements to be set to a `javascript:` uri in the repository description, which would upon clicking (and not upon loading) the anchor element execute the specified javascript in that uri. - [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description policy, which ensures that URIs in anchor elements are `mailto:`, `http://` or `https://` and thereby disallowing the `javascript:` URI. It also now allows non-relative links and sets `rel="nofollow"` on anchor elements. - Unit test added. |
||
---|---|---|
.. | ||
asciicast | ||
common | ||
console | ||
csv | ||
external | ||
markdown | ||
mdstripper | ||
orgmode | ||
tests/repo/repo1_filepreview | ||
camo.go | ||
camo_test.go | ||
file_preview.go | ||
html.go | ||
html_internal_test.go | ||
html_test.go | ||
renderer.go | ||
renderer_test.go | ||
sanitizer.go | ||
sanitizer_test.go |