forgejo

mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-01-04 07:33:58 +01:00

History

Gusted bb448f3dc2 disallow javascript: URI in the repository description - Fixes an XSS that was introduced in https://codeberg.org/forgejo/forgejo/pulls/1433 - This XSS allows for `href`s in anchor elements to be set to a `javascript:` uri in the repository description, which would upon clicking (and not upon loading) the anchor element execute the specified javascript in that uri. - [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description policy, which ensures that URIs in anchor elements are `mailto:`, `http://` or `https://` and thereby disallowing the `javascript:` URI. It also now allows non-relative links and sets `rel="nofollow"` on anchor elements. - Unit test added.		2024-08-09 07:04:01 +02:00
..
asciicast
common
console	Add testifylint to lint checks (#4535 )	2024-07-30 19:41:10 +00:00
csv	Add testifylint to lint checks (#4535 )	2024-07-30 19:41:10 +00:00
external
markdown	Add testifylint to lint checks (#4535 )	2024-07-30 19:41:10 +00:00
mdstripper
orgmode	Add testifylint to lint checks (#4535 )	2024-07-30 19:41:10 +00:00
tests/repo/repo1_filepreview
camo.go
camo_test.go
file_preview.go
html.go	[BUG] Render references to cross-repo issues with external issues	2024-08-07 03:19:26 +02:00
html_internal_test.go	[BUG] Render references to cross-repo issues with external issues	2024-08-07 03:19:26 +02:00
html_test.go	Add testifylint to lint checks (#4535 )	2024-07-30 19:41:10 +00:00
renderer.go
renderer_test.go
sanitizer.go	disallow javascript: URI in the repository description	2024-08-09 07:04:01 +02:00
sanitizer_test.go	disallow javascript: URI in the repository description	2024-08-09 07:04:01 +02:00