dccf180307
- Fixes an XSS that was introduced in
https://codeberg.org/forgejo/forgejo/pulls/1433
- This XSS allows for `href`s in anchor elements to be set to a
`javascript:` uri in the repository description, which would upon
clicking (and not upon loading) the anchor element execute the specified
javascript in that uri.
- [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description
policy, which ensures that URIs in anchor elements are `mailto:`,
`http://` or `https://` and thereby disallowing the `javascript:` URI.
It also now allows non-relative links and sets `rel="nofollow"` on
anchor elements.
- Unit test added.
(cherry picked from commit
|
||
---|---|---|
.. | ||
asciicast | ||
common | ||
console | ||
csv | ||
external | ||
markdown | ||
mdstripper | ||
orgmode | ||
tests/repo/repo1_filepreview | ||
camo.go | ||
camo_test.go | ||
file_preview.go | ||
html.go | ||
html_internal_test.go | ||
html_test.go | ||
renderer.go | ||
renderer_test.go | ||
sanitizer.go | ||
sanitizer_test.go |