# HG changeset patch # User Marcin Kuzminski # Date 2017-11-20 11:44:07 # Node ID 053218852c65ec799699daf48a3c6612429261aa # Parent dc922ddbd7df61e0faf43bac87907b5523d49a85 mettags: limit the scope of url => metatag to http, https and / links. - prevent of malicious injection of JS links and other unsafe types diff --git a/rhodecode/lib/helpers.py b/rhodecode/lib/helpers.py --- a/rhodecode/lib/helpers.py +++ b/rhodecode/lib/helpers.py @@ -960,8 +960,8 @@ tags_paterns = OrderedDict(( ('see', (re.compile(r'\[see\ \=\>\ *([a-zA-Z0-9\/\=\?\&\ \:\/\.\-]*)\]'), '

see: \\1

')), - ('url', (re.compile(r'\[url\ \=\>\ \[([a-zA-Z0-9\ \.\-\_]+)\]\((.*?)\)\]'), - '

\\1

')), + ('url', (re.compile(r'\[url\ \=\>\ \[([a-zA-Z0-9\ \.\-\_]+)\]\((http://|https://|/)(.*?)\)\]'), + '

\\1

')), ('license', (re.compile(r'\[license\ \=\>\ *([a-zA-Z0-9\/\=\?\&\ \:\/\.\-]*)\]'), '

\\1

')), diff --git a/rhodecode/tests/lib/test_libs.py b/rhodecode/tests/lib/test_libs.py --- a/rhodecode/tests/lib/test_libs.py +++ b/rhodecode/tests/lib/test_libs.py @@ -238,6 +238,19 @@ def test_age_in_future(age_args, expecte ]), # entry (( + "[url => [linkNameJS](javascript:alert(document.domain))]\n" + "[url => [linkNameHTTP](http://rhodecode.com)]\n" + "[url => [linkNameHTTPS](https://rhodecode.com)]\n" + "[url => [linkNamePath](/repo_group)]\n" + ), + [ + ('generic', '[linkNameJS]'), + ('url', '[url => [linkNameHTTP](http://rhodecode.com)]'), + ('url', '[url => [linkNameHTTPS](https://rhodecode.com)]'), + ('url', '[url => [linkNamePath](/repo_group)]'), + ]), + # entry + (( "hello pta[tag] gog [[]] [[] sda ero[or]d [me =>>< sa]" "[requires] [stale] [see<>=>] [see => http://url.com]" "[requires => url] [lang => python] [just a tag] "