u/pc/rhodecode-enterprise-ce-fork-pc Commit - r1833:56150ab5

security: use custom writer for RST rendering to prevent injection of javascript: tags.

marcink -

r1833:56150ab5 default

parent child

rhodecode/lib/markup_renderer.py

0 +28 -1

              from docutils.core import publish_parts
              from docutils.parsers.rst import directives
+             from docutils import writers
+             from docutils.writers import html4css1
              import markdown
              from rhodecode.lib.markdown_ext import GithubFlavoredMarkdownExtension
              DEFAULT_COMMENTS_RENDERER = 'rst'
+             class CustomHTMLTranslator(writers.html4css1.HTMLTranslator):
+                 """
+                 Custom HTML Translator used for sandboxing potential
+                 JS injections in ref links
+                 """
+                 def visit_reference(self, node):
+                     if 'refuri' in node.attributes:
+                         refuri = node['refuri']
+                         if ':' in refuri:
+                             prefix, link = refuri.lstrip().split(':', 1)
+                             if prefix == 'javascript':
+                                 # we don't allow javascript type of refs...
+                                 node['refuri'] = 'javascript:alert("SandBoxedJavascript")'
+                     # old style class requires this...
+                     return html4css1.HTMLTranslator.visit_reference(self, node)
+             class RhodeCodeWriter(writers.html4css1.Writer):
+                 def __init__(self):
+                     writers.Writer.__init__(self)
+                     self.translator_class = CustomHTMLTranslator
              def relative_links(html_source, server_path):
                  if not html_source:
                      return html_source
                              directives.register_directive(k, v)
                          parts = publish_parts(source=source,
-                                               writer_name="html4css1",
+                                               writer=RhodeCodeWriter(),
                                                settings_overrides=docutils_settings)
                          return parts['html_title'] + parts["fragment"]

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages