Merge pull request '[v8.0/forgejo] disallow javascript: URI in the repository description' (#4901) from bp-v8.0/forgejo-bb448f3 into v8.0/forgejo

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4901
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
This commit is contained in:
Gusted 2024-08-09 06:59:16 +00:00
commit 4d0be867a2
2 changed files with 5 additions and 1 deletions

View file

@ -179,6 +179,7 @@ func createDefaultPolicy() *bluemonday.Policy {
// repository descriptions. // repository descriptions.
func createRepoDescriptionPolicy() *bluemonday.Policy { func createRepoDescriptionPolicy() *bluemonday.Policy {
policy := bluemonday.NewPolicy() policy := bluemonday.NewPolicy()
policy.AllowStandardURLs()
// Allow italics and bold. // Allow italics and bold.
policy.AllowElements("i", "b", "em", "strong") policy.AllowElements("i", "b", "em", "strong")

View file

@ -82,12 +82,15 @@ func TestDescriptionSanitizer(t *testing.T) {
`<span class="emoji" aria-label="thumbs up">THUMBS UP</span>`, `<span class="emoji" aria-label="thumbs up">THUMBS UP</span>`, `<span class="emoji" aria-label="thumbs up">THUMBS UP</span>`, `<span class="emoji" aria-label="thumbs up">THUMBS UP</span>`,
`<span style="color: red">Hello World</span>`, `<span>Hello World</span>`, `<span style="color: red">Hello World</span>`, `<span>Hello World</span>`,
`<br>`, ``, `<br>`, ``,
`<a href="https://example.com" target="_blank" rel="noopener noreferrer">https://example.com</a>`, `<a href="https://example.com" target="_blank" rel="noopener noreferrer">https://example.com</a>`, `<a href="https://example.com" target="_blank" rel="noopener noreferrer">https://example.com</a>`, `<a href="https://example.com" target="_blank" rel="noopener noreferrer nofollow">https://example.com</a>`,
`<mark>Important!</mark>`, `Important!`, `<mark>Important!</mark>`, `Important!`,
`<details>Click me! <summary>Nothing to see here.</summary></details>`, `Click me! Nothing to see here.`, `<details>Click me! <summary>Nothing to see here.</summary></details>`, `Click me! Nothing to see here.`,
`<input type="hidden">`, ``, `<input type="hidden">`, ``,
`<b>I</b> have a <i>strong</i> <strong>opinion</strong> about <em>this</em>.`, `<b>I</b> have a <i>strong</i> <strong>opinion</strong> about <em>this</em>.`, `<b>I</b> have a <i>strong</i> <strong>opinion</strong> about <em>this</em>.`, `<b>I</b> have a <i>strong</i> <strong>opinion</strong> about <em>this</em>.`,
`Provides alternative <code>wg(8)</code> tool`, `Provides alternative <code>wg(8)</code> tool`, `Provides alternative <code>wg(8)</code> tool`, `Provides alternative <code>wg(8)</code> tool`,
`<a href="javascript:alert('xss')">Click me</a>.`, `Click me.`,
`<a href="data:text/html,<script>alert('xss')</script>">Click me</a>.`, `Click me.`,
`<a href="vbscript:msgbox("xss")">Click me</a>.`, `Click me.`,
} }
for i := 0; i < len(testCases); i += 2 { for i := 0; i < len(testCases); i += 2 {