mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-22 15:23:14 -05:00
14 lines
1.6 KiB
Markdown
14 lines
1.6 KiB
Markdown
|
This is a security release. See the documentation for more information on the [upgrade procedure](https://forgejo.org/docs/v7.0/admin/upgrade/).
|
||
|
|
||
|
- Security
|
||
|
A [change introduced in Forgejo v1.21](https://codeberg.org/forgejo/forgejo/pulls/1433) allows a Forgejo user with write permission on a repository description to [inject a client-side script into the web page viewed by the visitor](https://en.wikipedia.org/wiki/Cross-site_scripting). This XSS allows for `href` in anchor elements to be set to a `javascript:` URI in the repository description, which will execute the specified script upon clicking (and not upon loading). [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description policy, which ensures that URIs in anchor elements are `mailto:`, `http://` or `https://` and thereby disallowing the `javascript:` URI.
|
||
|
|
||
|
<!--start release-notes-assistant-->
|
||
|
|
||
|
<!--URL:https://codeberg.org/forgejo/forgejo-->
|
||
|
- Bug fixes
|
||
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/4896) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4900)): <!--number 4900 --><!--line 0 --><!--description ZGlzYWxsb3cgamF2YXNjcmlwdDogVVJJIGluIHRoZSByZXBvc2l0b3J5IGRlc2NyaXB0aW9u-->disallow javascript: URI in the repository description<!--description-->
|
||
|
- Localization
|
||
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/4568) ([backported](https://codeberg.org/forgejo/forgejo/pulls/4882)): <!--number 4882 --><!--line 0 --><!--description aTE4bjogYmFja3BvcnQgb2YgIzQ1NjggIzQ2NjggYW5kICM0NzgzIHRvIHY3-->i18n: backport of #4568 #4668 and #4783 to v7<!--description-->
|
||
|
<!--end release-notes-assistant-->
|