rhodecode-enterprise-ce Commit - r1833:56150ab5

security: use custom writer for RST rendering to prevent injection of javascript: tags.

marcink -

r1833:56150ab5 default

parent child

rhodecode/lib/markup_renderer.py

0 +28 -1

@@ -34,6 +34,8 b' from mako.template import Template as Ma'
34		34
35	from docutils.core import publish_parts	35	from docutils.core import publish_parts
36	from docutils.parsers.rst import directives	36	from docutils.parsers.rst import directives
		37	from docutils import writers
		38	from docutils.writers import html4css1
37	import markdown	39	import markdown
38		40
39	from rhodecode.lib.markdown_ext import GithubFlavoredMarkdownExtension	41	from rhodecode.lib.markdown_ext import GithubFlavoredMarkdownExtension
@@ -46,6 +48,31 b' log = logging.getLogger(__name__)'
46	DEFAULT_COMMENTS_RENDERER = 'rst'	48	DEFAULT_COMMENTS_RENDERER = 'rst'
47		49
48		50
		51	class CustomHTMLTranslator(writers.html4css1.HTMLTranslator):
		52	"""
		53	Custom HTML Translator used for sandboxing potential
		54	JS injections in ref links
		55	"""
		56
		57	def visit_reference(self, node):
		58	if 'refuri' in node.attributes:
		59	refuri = node['refuri']
		60	if ':' in refuri:
		61	prefix, link = refuri.lstrip().split(':', 1)
		62	if prefix == 'javascript':
		63	# we don't allow javascript type of refs...
		64	node['refuri'] = 'javascript:alert("SandBoxedJavascript")'
		65
		66	# old style class requires this...
		67	return html4css1.HTMLTranslator.visit_reference(self, node)
		68
		69
		70	class RhodeCodeWriter(writers.html4css1.Writer):
		71	def __init__(self):
		72	writers.Writer.__init__(self)
		73	self.translator_class = CustomHTMLTranslator
		74
		75
49	def relative_links(html_source, server_path):	76	def relative_links(html_source, server_path):
50	if not html_source:	77	if not html_source:
51	return html_source	78	return html_source
@@ -341,7 +368,7 b' class MarkupRenderer(object):'
341	directives.register_directive(k, v)	368	directives.register_directive(k, v)
342		369
343	parts = publish_parts(source=source,	370	parts = publish_parts(source=source,
344	writer~~_name~~=~~"html4css1"~~,	371	writer=RhodeCodeWriter(),
345	settings_overrides=docutils_settings)	372	settings_overrides=docutils_settings)
346		373
347	return parts['html_title'] + parts["fragment"]	374	return parts['html_title'] + parts["fragment"]

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages