davrot/forgejo_backup
1
0
Fork 0
mirror of https://codeberg.org/davrot/forgejo.git synced 2025-05-17 23:00:02 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

disallow javascript: URI in the repository description

Browse source 
- Fixes an XSS that was introduced in
https://codeberg.org/forgejo/forgejo/pulls/1433
- This XSS allows for `href`s in anchor elements to be set to a
`javascript:` uri in the repository description, which would upon
clicking (and not upon loading) the anchor element execute the specified
javascript in that uri.
- [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description
policy, which ensures that URIs in anchor elements are `mailto:`,
`http://` or `https://` and thereby disallowing the `javascript:` URI.
It also now allows non-relative links and sets `rel="nofollow"` on
anchor elements.
- Unit test added.

(cherry picked from commit bb448f3dc2)
This commit is contained in:
Gusted 2024-08-07 17:04:03 +02:00 committed by forgejo-backport-action
parent 1c0043efd6
commit dccf180307
2 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/markup/sanitizer.go
View file

@ -179,6 +179,7 @@ func createDefaultPolicy() *bluemonday.Policy {
// repository descriptions.
func createRepoDescriptionPolicy() *bluemonday.Policy {
policy := bluemonday.NewPolicy()
policy.AllowStandardURLs()
// Allow italics and bold.
policy.AllowElements("i", "b", "em", "strong")