mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-11-26 09:09:36 -05:00
bb448f3dc2
- Fixes an XSS that was introduced in https://codeberg.org/forgejo/forgejo/pulls/1433 - This XSS allows for `href`s in anchor elements to be set to a `javascript:` uri in the repository description, which would upon clicking (and not upon loading) the anchor element execute the specified javascript in that uri. - [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description policy, which ensures that URIs in anchor elements are `mailto:`, `http://` or `https://` and thereby disallowing the `javascript:` URI. It also now allows non-relative links and sets `rel="nofollow"` on anchor elements. - Unit test added.
110 lines
6.2 KiB
Go
110 lines
6.2 KiB
Go
// Copyright 2017 The Gitea Authors. All rights reserved.
|
|
// Copyright 2017 The Gogs Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package markup
|
|
|
|
import (
|
|
"html/template"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func Test_Sanitizer(t *testing.T) {
|
|
NewSanitizer()
|
|
testCases := []string{
|
|
// Regular
|
|
`<a onblur="alert(secret)" href="http://www.google.com">Google</a>`, `<a href="http://www.google.com" rel="nofollow">Google</a>`,
|
|
|
|
// Code highlighting class
|
|
`<code class="random string"></code>`, `<code></code>`,
|
|
`<code class="language-random ui tab active menu attached animating sidebar following bar center"></code>`, `<code></code>`,
|
|
`<code class="language-go"></code>`, `<code class="language-go"></code>`,
|
|
|
|
// Input checkbox
|
|
`<input type="hidden">`, ``,
|
|
`<input type="checkbox">`, `<input type="checkbox">`,
|
|
`<input checked disabled autofocus>`, `<input checked="" disabled="">`,
|
|
|
|
// Code highlight injection
|
|
`<code class="language-random ui tab active menu attached animating sidebar following bar center"></code>`, `<code></code>`,
|
|
`<code class="language-lol ui tab active menu attached animating sidebar following bar center">
|
|
<code class="language-lol ui container input huge basic segment center"> </code>
|
|
<img src="https://try.gogs.io/img/favicon.png" width="200" height="200">
|
|
<code class="language-lol ui container input massive basic segment">Hello there! Something has gone wrong, we are working on it.</code>
|
|
<code class="language-lol ui container input huge basic segment">In the meantime, play a game with us at <a href="http://example.com/">example.com</a>.</code>
|
|
</code>`, "<code>\n<code>\u00a0</code>\n<img src=\"https://try.gogs.io/img/favicon.png\" width=\"200\" height=\"200\">\n<code>Hello there! Something has gone wrong, we are working on it.</code>\n<code>In the meantime, play a game with us at\u00a0<a href=\"http://example.com/\" rel=\"nofollow\">example.com</a>.</code>\n</code>",
|
|
|
|
// <kbd> tags
|
|
`<kbd>Ctrl + C</kbd>`, `<kbd>Ctrl + C</kbd>`,
|
|
`<i class="dropdown icon">NAUGHTY</i>`, `<i>NAUGHTY</i>`,
|
|
`<i class="icon dropdown"></i>`, `<i class="icon dropdown"></i>`,
|
|
`<input type="checkbox" disabled=""/>unchecked`, `<input type="checkbox" disabled=""/>unchecked`,
|
|
`<span class="emoji dropdown">NAUGHTY</span>`, `<span>NAUGHTY</span>`,
|
|
`<span class="emoji">contents</span>`, `<span class="emoji">contents</span>`,
|
|
|
|
// Color property
|
|
`<span style="color: red">Hello World</span>`, `<span style="color: red">Hello World</span>`,
|
|
`<p style="color: red; background-color: red">Hello World</p>`, `<p style="color: red; background-color: red">Hello World</p>`,
|
|
`<table><tr><th style="color: red">TH1</th><th style="background-color: red">TH2</th><th style="color: red; background-color: red">TH3</th></tr><tr><td style="color: red">TD1</td><td style="background-color: red">TD2</td><td style="color: red; background-color: red">TD3</td></tr></table>`, `<table><tr><th style="color: red">TH1</th><th style="background-color: red">TH2</th><th style="color: red; background-color: red">TH3</th></tr><tr><td style="color: red">TD1</td><td style="background-color: red">TD2</td><td style="color: red; background-color: red">TD3</td></tr></table>`,
|
|
`<code style="color: red">Hello World</code>`, `<code>Hello World</code>`,
|
|
`<code style="background-color: red">Hello World</code>`, `<code>Hello World</code>`,
|
|
`<span style="bad-color: red">Hello World</span>`, `<span>Hello World</span>`,
|
|
`<p style="bad-color: red">Hello World</p>`, `<p>Hello World</p>`,
|
|
`<code style="bad-color: red">Hello World</code>`, `<code>Hello World</code>`,
|
|
|
|
// Org mode status of list items.
|
|
`<li class="checked"></li>`, `<li class="checked"></li>`,
|
|
`<li class="unchecked"></li>`, `<li class="unchecked"></li>`,
|
|
`<li class="indeterminate"></li>`, `<li class="indeterminate"></li>`,
|
|
|
|
// URLs
|
|
`<a href="cbthunderlink://somebase64string)">my custom URL scheme</a>`, `<a href="cbthunderlink://somebase64string)" rel="nofollow">my custom URL scheme</a>`,
|
|
`<a href="matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join">my custom URL scheme</a>`, `<a href="matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join" rel="nofollow">my custom URL scheme</a>`,
|
|
|
|
// Disallow dangerous url schemes
|
|
`<a href="javascript:alert('xss')">bad</a>`, `bad`,
|
|
`<a href="vbscript:no">bad</a>`, `bad`,
|
|
`<a href="data:1234">bad</a>`, `bad`,
|
|
}
|
|
|
|
for i := 0; i < len(testCases); i += 2 {
|
|
assert.Equal(t, testCases[i+1], Sanitize(testCases[i]))
|
|
}
|
|
}
|
|
|
|
func TestDescriptionSanitizer(t *testing.T) {
|
|
NewSanitizer()
|
|
|
|
testCases := []string{
|
|
`<h1>Title</h1>`, `Title`,
|
|
`<img src='img.png' alt='image'>`, ``,
|
|
`<span class="emoji" aria-label="thumbs up">THUMBS UP</span>`, `<span class="emoji" aria-label="thumbs up">THUMBS UP</span>`,
|
|
`<span style="color: red">Hello World</span>`, `<span>Hello World</span>`,
|
|
`<br>`, ``,
|
|
`<a href="https://example.com" target="_blank" rel="noopener noreferrer">https://example.com</a>`, `<a href="https://example.com" target="_blank" rel="noopener noreferrer nofollow">https://example.com</a>`,
|
|
`<mark>Important!</mark>`, `Important!`,
|
|
`<details>Click me! <summary>Nothing to see here.</summary></details>`, `Click me! Nothing to see here.`,
|
|
`<input type="hidden">`, ``,
|
|
`<b>I</b> have a <i>strong</i> <strong>opinion</strong> about <em>this</em>.`, `<b>I</b> have a <i>strong</i> <strong>opinion</strong> about <em>this</em>.`,
|
|
`Provides alternative <code>wg(8)</code> tool`, `Provides alternative <code>wg(8)</code> tool`,
|
|
`<a href="javascript:alert('xss')">Click me</a>.`, `Click me.`,
|
|
`<a href="data:text/html,<script>alert('xss')</script>">Click me</a>.`, `Click me.`,
|
|
`<a href="vbscript:msgbox("xss")">Click me</a>.`, `Click me.`,
|
|
}
|
|
|
|
for i := 0; i < len(testCases); i += 2 {
|
|
assert.Equal(t, testCases[i+1], SanitizeDescription(testCases[i]))
|
|
}
|
|
}
|
|
|
|
func TestSanitizeNonEscape(t *testing.T) {
|
|
descStr := "<scrİpt><script>alert(document.domain)</script></scrİpt>"
|
|
|
|
output := template.HTML(Sanitize(descStr))
|
|
if strings.Contains(string(output), "<script>") {
|
|
t.Errorf("un-escaped <script> in output: %q", output)
|
|
}
|
|
}
|