Mercurial > kallithea
view CONTRIBUTORS @ 7552:e74aa69f6827 stable
lib: sanitize HTML for all types of README rendering, not only markdown
The repository summary page will display a rendered version of the
repository 'readme' based on its file extension. In commit 5746cc3b3fa5,
the rendered output was already sanitized when the input was markdown.
However, also readmes written in other formats, like ReStructuredText (RST)
or plain text could have content that we want sanitized.
Therefore, move the sanitizing one level up so it covers all renderers, for
now and the future.
This fixes an XSS issue when a repository readme contains javascript code,
which would be executed when the repository summary page is visited by a
user.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
| author | Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> |
|---|---|
| date | Sat, 26 Jan 2019 20:27:50 +0100 |
| parents | 92fd0b7ff4d9 |
| children | b3289fef0daa b2410a5d6563 |
line wrap: on
line source
List of contributors to Kallithea project: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> 2014-2018 Branko Majic <branko@majic.rs> 2015 2018 Mads Kiilerich <mads@kiilerich.com> 2016-2018 Mads Kiilerich <madski@unity3d.com> 2012-2017 Unity Technologies 2012-2017 Andrew Shadura <andrew@shadura.me> 2012 2014-2017 Dominik Ruf <dominikruf@gmail.com> 2012 2014 2016-2017 Étienne Gilli <etienne.gilli@gmail.com> 2015 2017 Sam Jaques <sam.jaques@me.com> 2015 2017 Ching-Chen Mao <mao@lins.fju.edu.tw> 2017 FUJIWARA Katsunori <foozy@lares.dti.ne.jp> 2017 Viktar Vauchkevich <victorenator@gmail.com> 2017 Takumi IINO <trot.thunder@gmail.com> 2012-2016 Søren Løvborg <sorenl@unity3d.com> 2015-2016 Anton Shestakov <av6@dwimlabs.net> 2016 Brandon Jones <bjones14@gmail.com> 2016 Konstantin Veretennicov <kveretennicov@gmail.com> 2016 Robert James Dennington <tinytimrob@googlemail.com> 2016 Aras Pranckevičius <aras@unity3d.com> 2012-2013 2015 Sean Farley <sean.michael.farley@gmail.com> 2013-2015 Christian Oyarzun <oyarzun@gmail.com> 2014-2015 Joseph Rivera <rivera.d.joseph@gmail.com> 2014-2015 Michal Čihař <michal@cihar.com> 2014-2015 Anatoly Bubenkov <bubenkoff@gmail.com> 2015 Andrew Bartlett <abartlet@catalyst.net.nz> 2015 Balázs Úr <urbalazs@gmail.com> 2015 Ben Finney <ben@benfinney.id.au> 2015 Daniel Hobley <danielh@unity3d.com> 2015 David Avigni <david.avigni@ankapi.com> 2015 Denis Blanchette <dblanchette@coveo.com> 2015 duanhongyi <duanhongyi@doopai.com> 2015 EriCSN Chang <ericsning@gmail.com> 2015 Grzegorz Krason <grzegorz.krason@gmail.com> 2015 Jan Heylen <heyleke@gmail.com> 2015 Kazunari Kobayashi <kobanari@nifty.com> 2015 Kevin Bullock <kbullock@ringworld.org> 2015 kobanari <kobanari@nifty.com> 2015 Marc Abramowitz <marc@marc-abramowitz.com> 2015 Marc Villetard <marc.villetard@gmail.com> 2015 Matthias Zilk <matthias.zilk@gmail.com> 2015 Michael Pohl <michael@mipapo.de> 2015 Michael V. DePalatis <mike@depalatis.net> 2015 Morten Skaaning <mortens@unity3d.com> 2015 Nick High <nick@silverchip.org> 2015 Niemand Jedermann <predatorix@web.de> 2015 Peter Vitt <petervitt@web.de> 2015 Robert Martinez <ntttq@inboxen.org> 2015 Robert Rauch <mail@robertrauch.de> 2015 Ronny Pfannschmidt <opensource@ronnypfannschmidt.de> 2015 Tuux <tuxa@galaxie.eu.org> 2015 Viktar Palstsiuk <vipals@gmail.com> 2015 Bradley M. Kuhn <bkuhn@sfconservancy.org> 2014 Calinou <calinou@opmbx.org> 2014 Daniel Anderson <daniel@dattrix.com> 2014 Henrik Stuart <hg@hstuart.dk> 2014 Ingo von Borstel <kallithea@planetmaker.de> 2014 Jelmer Vernooij <jelmer@samba.org> 2014 Jim Hague <jim.hague@acm.org> 2014 Matt Fellows <kallithea@matt-fellows.me.uk> 2014 Max Roman <max@choloclos.se> 2014 Na'Tosha Bard <natosha@unity3d.com> 2014 Rasmus Selsmark <rasmuss@unity3d.com> 2014 Tim Freund <tim@freunds.net> 2014 Travis Burtrum <android@moparisthebest.com> 2014 Zoltan Gyarmati <mr.zoltan.gyarmati@gmail.com> 2014 Marcin Kuźmiński <marcin@python-works.com> 2010-2013 xpol <xpolife@gmail.com> 2012-2013 Aparkar <aparkar@icloud.com> 2013 Dennis Brakhane <brakhane@googlemail.com> 2013 Grzegorz Rożniecki <xaerxess@gmail.com> 2013 Jonathan Sternberg <jonathansternberg@gmail.com> 2013 Leonardo Carneiro <leonardo@unity3d.com> 2013 Magnus Ericmats <magnus.ericmats@gmail.com> 2013 Martin Vium <martinv@unity3d.com> 2013 Simon Lopez <simon.lopez@slopez.org> 2013 Ton Plomp <tcplomp@gmail.com> 2013 Augusto Herrmann <augusto.herrmann@planejamento.gov.br> 2011-2012 Dan Sheridan <djs@adelard.com> 2012 Dies Koper <diesk@fast.au.fujitsu.com> 2012 Erwin Kroon <e.kroon@smartmetersolutions.nl> 2012 H Waldo G <gwaldo@gmail.com> 2012 hppj <hppj@postmage.biz> 2012 Indra Talip <indra.talip@gmail.com> 2012 mikespook 2012 nansenat16 <nansenat16@null.tw> 2012 Philip Jameson <philip.j@hostdime.com> 2012 Raoul Thill <raoul.thill@gmail.com> 2012 Stefan Engel <mail@engel-stefan.de> 2012 Tony Bussieres <t.bussieres@gmail.com> 2012 Vincent Caron <vcaron@bearstech.com> 2012 Vincent Duvert <vincent@duvert.net> 2012 Vladislav Poluhin <nuklea@gmail.com> 2012 Zachary Auclair <zach101@gmail.com> 2012 Ankit Solanki <ankit.solanki@gmail.com> 2011 Dmitri Kuznetsov 2011 Jared Bunting <jared.bunting@peachjean.com> 2011 Jason Harris <jason@jasonfharris.com> 2011 Les Peabody <lpeabody@gmail.com> 2011 Liad Shani <liadff@gmail.com> 2011 Lorenzo M. Catucci <lorenzo@sancho.ccd.uniroma2.it> 2011 Matt Zuba <matt.zuba@goodwillaz.org> 2011 Nicolas VINOT <aeris@imirhil.fr> 2011 Shawn K. O'Shea <shawn@eth0.net> 2011 Thayne Harbaugh <thayne@fusionio.com> 2011 Łukasz Balcerzak <lukaszbalcerzak@gmail.com> 2010 Andrew Kesterson <andrew@aklabs.net> cejones David A. Sjøen <david.sjoen@westcon.no> James Rhodes <jrhodes@redpointsoftware.com.au> Jonas Oberschweiber <jonas.oberschweiber@d-velop.de> larikale RhodeCode GmbH Sebastian Kreutzberger <sebastian@rhodecode.com> Steve Romanow <slestak989@gmail.com> SteveCohen Thomas <thomas@rhodecode.com> Thomas Waldmann <tw-public@gmx.de>