rhodecode-enterprise-ce Commit - r3147:7609f194

security: improve Javascript RST sandbox to also catch mixed case.

marcink -

r3147:7609f194 default

parent child

rhodecode/lib/markup_renderer.py

0 +3 -1

                         refuri = node['refuri']
                         if ':' in refuri:
                             prefix, link = refuri.lstrip().split(':', 1)
-                            if prefix == 'javascript':
+                            prefix = prefix or ''
+                            if prefix.lower() == 'javascript':
                                 # we don't allow javascript type of refs...
                                 node['refuri'] = 'javascript:alert("SandBoxedJavascript")'

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages