mirror of
				https://codeberg.org/forgejo/forgejo.git
				synced 2025-10-26 12:01:08 +00:00 
			
		
		
		
	disallow javascript: URI in the repository description
- Fixes an XSS that was introduced in
https://codeberg.org/forgejo/forgejo/pulls/1433
- This XSS allows for `href`s in anchor elements to be set to a
`javascript:` uri in the repository description, which would upon
clicking (and not upon loading) the anchor element execute the specified
javascript in that uri.
- [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description
policy, which ensures that URIs in anchor elements are `mailto:`,
`http://` or `https://` and thereby disallowing the `javascript:` URI.
It also now allows non-relative links and sets `rel="nofollow"` on
anchor elements.
- Unit test added.
(cherry picked from commit bb448f3dc2)
	
	
This commit is contained in:
		
					parent
					
						
							
								1c0043efd6
							
						
					
				
			
			
				commit
				
					
						dccf180307
					
				
			
		
					 2 changed files with 5 additions and 1 deletions
				
			
		|  | @ -179,6 +179,7 @@ func createDefaultPolicy() *bluemonday.Policy { | |||
| // repository descriptions. | ||||
| func createRepoDescriptionPolicy() *bluemonday.Policy { | ||||
| 	policy := bluemonday.NewPolicy() | ||||
| 	policy.AllowStandardURLs() | ||||
| 
 | ||||
| 	// Allow italics and bold. | ||||
| 	policy.AllowElements("i", "b", "em", "strong") | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue