0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-23 07:43:18 -05:00
forgejo/modules
Gusted 542281ab9f disallow javascript: URI in the repository description
- Fixes an XSS that was introduced in
https://codeberg.org/forgejo/forgejo/pulls/1433
- This XSS allows for `href`s in anchor elements to be set to a
`javascript:` uri in the repository description, which would upon
clicking (and not upon loading) the anchor element execute the specified
javascript in that uri.
- [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description
policy, which ensures that URIs in anchor elements are `mailto:`,
`http://` or `https://` and thereby disallowing the `javascript:` URI.
It also now allows non-relative links and sets `rel="nofollow"` on
anchor elements.
- Unit test added.

(cherry picked from commit bb448f3dc2)
2024-08-09 05:57:13 +00:00
..
actions enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
activitypub enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
analyze
assetfs enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
auth enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
avatar enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
base enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
cache enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
charset enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
container
csv enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
emoji
eventsource
generate enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
git enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
gitgraph models/asymkey: Implement Tag verification 2024-04-01 13:42:11 +00:00
gitrepo
graceful enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
hcaptcha
highlight enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
hostmatcher
html
httpcache
httplib enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
indexer enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
issue/template
json
label
lfs enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
log enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
markup disallow javascript: URI in the repository description 2024-08-09 05:57:13 +00:00
mcaptcha
metrics
migration enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
nosql s/Gitea/Forgejo in various log messages and comments 2024-04-22 14:41:17 +00:00
optional enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
options
packages enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
paginator
pprof
private Move database operations of merging a pull request to post receive hook and add a transaction (#30805) 2024-05-14 15:37:32 +02:00
process [FIX] make pprof labels conformant with prometheus spec 2024-04-01 18:22:11 +00:00
proxy
proxyprotocol
public enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
queue enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
recaptcha
references enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
regexplru enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
repository enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
secret enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
session Avoid importing modules/web/middleware in modules/session (#30584) (#30589) 2024-04-21 18:16:09 +02:00
setting enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
sitemap enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
ssh
storage enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
structs enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
svg
sync
system enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
templates enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
test test(util): MockProtect when mocking multiple times 2024-06-02 14:32:00 +00:00
testlogger Merge pull request '[v7.0/forgejo] [FEAT] Mark database errors in tests as failure' (#2978) from bp-v7.0/forgejo-2dabd20 into v7.0/forgejo 2024-04-02 15:53:23 +00:00
timeutil Remove the time-since class (#29826) 2024-03-20 08:46:30 +01:00
translation enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
turnstile
typesniffer enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
updatechecker enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
uri enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
user enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
util enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
validation
web enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
webhook [FEAT] sourcehut webhooks 2024-04-05 19:36:04 +00:00