Mercurial > kallithea
view MANIFEST.in @ 7544:2ac4499b25eb
lib: sanitize HTML for all types of README rendering, not only markdown
The repository summary page will display a rendered version of the
repository 'readme' based on its file extension. In commit 5746cc3b3fa5,
the rendered output was already sanitized when the input was markdown.
However, also readmes written in other formats, like ReStructuredText (RST)
or plain text could have content that we want sanitized.
Therefore, move the sanitizing one level up so it covers all renderers, for
now and the future.
This fixes an XSS issue when a repository readme contains javascript code,
which would be executed when the repository summary page is visited by a
user.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
author | Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> |
---|---|
date | Sat, 26 Jan 2019 20:27:50 +0100 |
parents | 19a9f02443c8 |
children | ddfecf9fe7f2 |
line wrap: on
line source
include .coveragerc include Apache-License-2.0.txt include CONTRIBUTORS include COPYING include Jenkinsfile include LICENSE-MERGELY.html include LICENSE.md include MIT-Permissive-License.txt include README.rst include dev_requirements.txt include development.ini include pytest.ini include requirements.txt include tox.ini recursive-include docs * recursive-include init.d * recursive-include kallithea/alembic * include kallithea/bin/ldap_sync.conf include kallithea/lib/paster_commands/template.ini.mako recursive-include kallithea/front-end * recursive-include kallithea/i18n * recursive-include kallithea/public * recursive-include kallithea/templates * recursive-include kallithea/tests/fixtures * recursive-include kallithea/tests/scripts * include kallithea/tests/models/test_dump_html_mails.ref.html include kallithea/tests/performance/test_vcs.py include kallithea/tests/vcs/aconfig recursive-include scripts *