Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix "custom URL scheme" support and fix tests #25945

Closed
wants to merge 1 commit into from

Conversation

wxiaoguang
Copy link
Contributor

I made a mistake for #24805

And the tests cases didn't work because the "custom schemes" affect "render" but not "sanitizer"

This PR reverts to the old behavior, add more comments, and fix the tests.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jul 18, 2023
@pull-request-size pull-request-size bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jul 18, 2023
@wxiaoguang wxiaoguang added the backport/v1.20 This PR should be backported to Gitea 1.20 label Jul 18, 2023
@wxiaoguang wxiaoguang added this to the 1.21.0 milestone Jul 18, 2023
@wxiaoguang wxiaoguang added type/bug topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! labels Jul 18, 2023
@wxiaoguang wxiaoguang changed the title Fix "custom scheme" support and fix tests Fix "custom URL scheme" support and fix tests Jul 18, 2023
@KN4CK3R
Copy link
Member

KN4CK3R commented Jul 18, 2023

microcosm-cc/bluemonday#182

@wxiaoguang wxiaoguang closed this Jul 18, 2023
@GiteaBot GiteaBot removed this from the 1.21.0 milestone Jul 18, 2023
@wxiaoguang wxiaoguang deleted the fix-custom-scheme branch July 18, 2023 14:40
KN4CK3R added a commit that referenced this pull request Jul 18, 2023
Regression: #24805
Closes: #25945

- Disallow `javascript`, `vbscript` and `data` (data uri images still
work) url schemes even if all other schemes are allowed
- Fixed older `cbthunderlink` tests

---------

Co-authored-by: delvh <dev.lh@web.de>
KN4CK3R added a commit to KN4CK3R/gitea that referenced this pull request Jul 18, 2023
Regression: go-gitea#24805
Closes: go-gitea#25945

- Disallow `javascript`, `vbscript` and `data` (data uri images still
work) url schemes even if all other schemes are allowed
- Fixed older `cbthunderlink` tests

---------

Co-authored-by: delvh <dev.lh@web.de>
techknowlogick pushed a commit that referenced this pull request Jul 18, 2023
Regression: #24805
Closes: #25945

- Disallow `javascript`, `vbscript` and `data` (data uri images still
work) url schemes even if all other schemes are allowed
- Fixed older `cbthunderlink` tests

---------

Co-authored-by: delvh <dev.lh@web.de>
brechtvl pushed a commit to blender/gitea that referenced this pull request Jul 19, 2023
Regression: go-gitea#24805
Closes: go-gitea#25945

- Disallow `javascript`, `vbscript` and `data` (data uri images still
work) url schemes even if all other schemes are allowed
- Fixed older `cbthunderlink` tests

---------

Co-authored-by: delvh <dev.lh@web.de>
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Oct 16, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/v1.20 This PR should be backported to Gitea 1.20 lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants