Disallow dangerous url schemes (#25960)

Regression: https://github.com/go-gitea/gitea/pull/24805 Closes: #25945 - Disallow `javascript`, `vbscript` and `data` (data uri images still work) url schemes even if all other schemes are allowed - Fixed older `cbthunderlink` tests --------- Co-authored-by: delvh <dev.lh@web.de>
2025-07-22 18:28:37 +00:00 · 2023-07-18 17:18:37 +02:00
parent cc73e84fa3
commit 8af96f585f
4 changed files with 19 additions and 5 deletions
--- a/modules/markup/sanitizer.go
+++ b/modules/markup/sanitizer.go
@@ -6,6 +6,7 @@ package markup

 import (
 	"io"
+	"net/url"
 	"regexp"
 	"sync"

@@ -79,6 +80,14 @@ func createDefaultPolicy() *bluemonday.Policy {
 		policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...)
 	} else {
 		policy.AllowURLSchemesMatching(allowAllRegex)
+
+		// Even if every scheme is allowed, these three are blocked for security reasons
+		disallowScheme := func(*url.URL) bool {
+			return false
+		}
+		policy.AllowURLSchemeWithCustomPolicy("javascript", disallowScheme)
+		policy.AllowURLSchemeWithCustomPolicy("vbscript", disallowScheme)
+		policy.AllowURLSchemeWithCustomPolicy("data", disallowScheme)
 	}

 	// Allow classes for anchors