loading up the forgejo repo on tangled to test page performance
Merge pull request 'disallow javascript: URI in the repository description' (#4896) from earl-warren/forgejo:wip-xss-repo-description into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4896
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
+5
-1
+1
modules/markup/sanitizer.go
+1
modules/markup/sanitizer.go
+4
-1
modules/markup/sanitizer_test.go
+4
-1
modules/markup/sanitizer_test.go
···
84
84
`<span class="emoji" aria-label="thumbs up">THUMBS UP</span>`, `<span class="emoji" aria-label="thumbs up">THUMBS UP</span>`,
85
85
`<span style="color: red">Hello World</span>`, `<span>Hello World</span>`,
86
86
`<br>`, ``,
87
-
`<a href="https://example.com" target="_blank" rel="noopener noreferrer">https://example.com</a>`, `<a href="https://example.com" target="_blank" rel="noopener noreferrer">https://example.com</a>`,
87
+
`<a href="https://example.com" target="_blank" rel="noopener noreferrer">https://example.com</a>`, `<a href="https://example.com" target="_blank" rel="noopener noreferrer nofollow">https://example.com</a>`,
88
88
`<mark>Important!</mark>`, `Important!`,
89
89
`<details>Click me! <summary>Nothing to see here.</summary></details>`, `Click me! Nothing to see here.`,
90
90
`<input type="hidden">`, ``,
91
91
`<b>I</b> have a <i>strong</i> <strong>opinion</strong> about <em>this</em>.`, `<b>I</b> have a <i>strong</i> <strong>opinion</strong> about <em>this</em>.`,
92
92
`Provides alternative <code>wg(8)</code> tool`, `Provides alternative <code>wg(8)</code> tool`,
93
+
`<a href="javascript:alert('xss')">Click me</a>.`, `Click me.`,
94
+
`<a href="data:text/html,<script>alert('xss')</script>">Click me</a>.`, `Click me.`,
95
+
`<a href="vbscript:msgbox("xss")">Click me</a>.`, `Click me.`,
93
96
}
94
97
95
98
for i := 0; i < len(testCases); i += 2 {