There are multiple places where Gitea does not properly escape URLs that it is building and there are multiple places where it builds urls when there is already a simpler function available to use this.
This is an extensive PR attempting to fix these issues.
1. The first commit in this PR looks through all href, src and links in the Gitea codebase and has attempted to catch all the places where there is potentially incomplete escaping.
2. Whilst doing this we will prefer to use functions that create URLs over recreating them by hand.
3. All uses of strings should be directly escaped - even if they are not currently expected to contain escaping characters. The main benefit to doing this will be that we can consider relaxing the constraints on user names and reponames in future.
4. The next commit looks at escaping in the wiki and re-considers the urls that are used there. Using the improved escaping here wiki files containing '/'. (This implementation will currently still place all of the wiki files the root directory of the repo but this would not be difficult to change.)
5. The title generation in feeds is now properly escaped.
6. EscapePound is no longer needed - urls should be PathEscaped / QueryEscaped as necessary but then re-escaped with Escape when creating html with locales Signed-off-by: Andrew Thornton <art27@cantab.net>
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Use route to serve assets but not middleware
* Fix build error with bindata tag
* convert path to absolute
* fix build
* reduce function stack
* Add tests for assets
* Remove test for assets because they are not generated
* Use a http function to serve assets
* Still use middleware to serve assets then less middleware stack for assets
* Move serveContent to original position
* remove unnecessary blank line change
* Fix bug for /assets* requests
* clean code
Co-authored-by: zeripath <art27@cantab.net>
Use [chi](https://github.com/go-chi/chi) instead of the forked [macaron](https://gitea.com/macaron/macaron). Since macaron and chi have conflicts with session share, this big PR becomes a have-to thing. According my previous idea, we can replace macaron step by step but I'm wrong. :( Below is a list of big changes on this PR.
- [x] Define `context.ResponseWriter` interface with an implementation `context.Response`.
- [x] Use chi instead of macaron, and also a customize `Route` to wrap chi so that the router usage is similar as before.
- [x] Create different routers for `web`, `api`, `internal` and `install` so that the codes will be more clear and no magic .
- [x] Use https://github.com/unrolled/render instead of macaron's internal render
- [x] Use https://github.com/NYTimes/gziphandler instead of https://gitea.com/macaron/gzip
- [x] Use https://gitea.com/go-chi/session which is a modified version of https://gitea.com/macaron/session and removed `nodb` support since it will not be maintained. **BREAK**
- [x] Use https://gitea.com/go-chi/captcha which is a modified version of https://gitea.com/macaron/captcha
- [x] Use https://gitea.com/go-chi/cache which is a modified version of https://gitea.com/macaron/cache
- [x] Use https://gitea.com/go-chi/binding which is a modified version of https://gitea.com/macaron/binding
- [x] Use https://github.com/go-chi/cors instead of https://gitea.com/macaron/cors
- [x] Dropped https://gitea.com/macaron/i18n and make a new one in `code.gitea.io/gitea/modules/translation`
- [x] Move validation form structs from `code.gitea.io/gitea/modules/auth` to `code.gitea.io/gitea/modules/forms` to avoid dependency cycle.
- [x] Removed macaron log service because it's not need any more. **BREAK**
- [x] All form structs have to be get by `web.GetForm(ctx)` in the route function but not as a function parameter on routes definition.
- [x] Move Git HTTP protocol implementation to use routers directly.
- [x] Fix the problem that chi routes don't support trailing slash but macaron did.
- [x] `/api/v1/swagger` now will be redirect to `/api/swagger` but not render directly so that `APIContext` will not create a html render.
Notices:
- Chi router don't support request with trailing slash
- Integration test `TestUserHeatmap` maybe mysql version related. It's failed on my macOS(mysql 5.7.29 installed via brew) but succeed on CI.
Co-authored-by: 6543 <6543@obermui.de>
* Add automatic JS license generation
Removed librejs file and replaced it with a plaintext file that is built
from all JS dependencies that are included in the webpack build. It does
not cover the few remaining statically vendored files and fomantic is
added manually because it's not yet in the webpack build process.
Fixes: https://github.com/go-gitea/gitea/issues/11630
* fix lint
* remove jslicense, we're not librejs compatible any more
* remove license.txt test as it depens on absent files
* small optimization
* trailing comma
* localize and capitalize the word 'licenses'
* reduce text to just 'Licenses'
Co-authored-by: Lauris BH <lauris@nix.lv>
* remove since it is there for 3years
* fix 500 error for ghost avatar
* dont insert "-1" in any case to issue.poster_id
* fix lint
* Test: ghost avatar link
* fix test
* Revert "remove since it is there for 3years"
This reverts commit fd9ad05159.
* Revert "dont insert "-1" in any case to issue.poster_id"
This reverts commit 05469ab6d8.
Co-authored-by: zeripath <art27@cantab.net>
* Make repository list @ issues/PR page persist
Will partially fix #6355
* Enable multiple selections in repo list @ issues/PR page
Part of issue #6355
* Add RepoIDs to UserIssueStatsOptions to make "type" count correct when selecting one/multiple repos.
* Replace variable "repo" with list "repos[]" and enable multiple selections of repositories from list by including/excluding RepoIDs in list.
*
* Remove redundant code
* Add 'All' button
Improves functionality of the page, so that backtracking is not necessary to reset the page
* Remove redundant variable
Completely replace 'RepoID' with 'RepoIDs' and remove redundant code
* Add RepoIDs to label link
* Revert part of code to previous version to troubleshoot build failure
* Implement old and new pieces of code whilst adhering to multi select
* Attempt to join the two versions
Last commit passed tests but doesn't work in practice, this works in practice and hopefully passes the tests.
* Update tests to desired state
* Fix pagination implementation and tests
* Pass repoIDs as `repos=[1,2,3...]` instead of several `repos[]=..`
* Update tests file to reflect new functionality
* Update template with new `repos` format
* Implement new solution to show constant "total issues" count for "All" button
* Correct behavior when passing zero to array
* Comment out test url returning 404
This keeps returning 404 in the test despite working in practice, for the sake of running more tests I am commenting it out
* Comment out another test url returning 404
Last attempt, if more tests crash I will uncomment the urls and request assistance.
* Reenable tests and test fix
* Re-enable tests
* Make selecting "In your repositories" reset selection as passing IDs of repos belonging to other profiles causes breakage
* Remove unnecessary (with multi-selection enable) code
* Drop repo from repo map and total count if permission denied
* Remove extra parenthesis
* make template work again
* find bug!
* forgot the '#' at bugfixing
* delete unused RepoID
* compile regex only one time
* make fmt
* local variable = capital letter lower
* check if repos query pattern is correct
* pagination remove last , - make regex work again
* use Replace instead of ReplaceAll; del delete
* fix test
* how did this test binary got in?!?
dont forgot the "-p" at git add * !
* dont replace -> cut fisrt & last string
Co-Authored-By: zeripath <art27@cantab.net>
* jet another regex
dont mind as long as it has the same result and is performatn ...
Co-Authored-By: zeripath <art27@cantab.net>
* dont use nonexisting repo for test
* exclude /issues?type=created_by from test
* add table to querys
use same syntax in each query (table.colum)
* add new issue for test
* dont make a workaround or something else
this need a refactor itself and is out of scope for this PR
* fix misspell
* CI.redo()
* englisch txt update
Co-Authored-By: zeripath <art27@cantab.net>
* add sugestions
* Tweak & Fix
* CI.restart()
* moved avatar to profile page
* combined password change, email and account deletion into account settings page
* combined totp, access tokens, linked accounts and openid into security settings page
* move access tokens to applications settings page
* small change to restart drone build
* fix change avatar url on profile page
* redirect old settings urls to new ones
* enforce only one autofocus attribute on settings pages
* set correct redirect status code
* fmt fix
* Make URL scheme unambiguous
Redirect old routes to new routes
* Fix redirects to new URL scheme, and update template
* Fix branches/_new endpoints, and update integration test
* Move swagger interface under /api/v1
* Update swagger-ui
* Add /api/swagger and prepare for multiple api version
* Update test links
* Fix footer link