Mercurial > kallithea

changeset 7552:e74aa69f6827 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
lib: sanitize HTML for all types of README rendering, not only markdown The repository summary page will display a rendered version of the repository 'readme' based on its file extension. In commit 5746cc3b3fa5, the rendered output was already sanitized when the input was markdown. However, also readmes written in other formats, like ReStructuredText (RST) or plain text could have content that we want sanitized. Therefore, move the sanitizing one level up so it covers all renderers, for now and the future. This fixes an XSS issue when a repository readme contains javascript code, which would be executed when the repository summary page is visited by a user. Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
author Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
date Sat, 26 Jan 2019 20:27:50 +0100
parents 81db5704b285
children c9bd000a4567
files kallithea/lib/markup_renderer.py
diffstat 1 files changed, 14 insertions(+), 15 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/lib/markup_renderer.py	Sat Jan 26 20:00:14 2019 +0100
+++ b/kallithea/lib/markup_renderer.py	Sat Jan 26 20:27:50 2019 +0100
@@ -125,7 +125,19 @@
 
         renderer = self._detect_renderer(source, filename)
         readme_data = renderer(source)
-        return readme_data
+        # Allow most HTML, while preventing XSS issues:
+        # no <script> tags, no onclick attributes, no javascript
+        # "protocol", and also limit styling to prevent defacing.
+        return bleach.clean(readme_data,
+            tags=['a', 'abbr', 'b', 'blockquote', 'br', 'code', 'dd',
+                  'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5',
+                  'h6', 'hr', 'i', 'img', 'li', 'ol', 'p', 'pre', 'span',
+                  'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'th',
+                  'thead', 'tr', 'ul'],
+            attributes=['class', 'id', 'style', 'label', 'title', 'alt', 'href', 'src'],
+            styles=['color'],
+            protocols=['http', 'https', 'mailto'],
+            )
 
     @classmethod
     def plain(cls, source, universal_newline=True):
@@ -163,20 +175,7 @@
         try:
             if flavored:
                 source = cls._flavored_markdown(source)
-            markdown_html = markdown_mod.markdown(source, ['codehilite', 'extra'])
-            # Allow most HTML, while preventing XSS issues:
-            # no <script> tags, no onclick attributes, no javascript
-            # "protocol", and also limit styling to prevent defacing.
-            return bleach.clean(markdown_html,
-                tags=['a', 'abbr', 'b', 'blockquote', 'br', 'code', 'dd',
-                      'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5',
-                      'h6', 'hr', 'i', 'img', 'li', 'ol', 'p', 'pre', 'span',
-                      'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'th',
-                      'thead', 'tr', 'ul'],
-                attributes=['class', 'id', 'style', 'label', 'title', 'alt', 'href', 'src'],
-                styles=['color'],
-                protocols=['http', 'https', 'mailto'],
-                )
+            return markdown_mod.markdown(source, ['codehilite', 'extra'])
         except Exception:
             log.error(traceback.format_exc())
             if safe: