# HG changeset patch
# User Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
# Date 2019-01-26 20:27:50
# Node ID 2ac4499b25eb814bee28917692dd02fcee85d228
# Parent  c9159e6fda042b0521d73f56abab551e40d0623d

lib: sanitize HTML for all types of README rendering, not only markdown

The repository summary page will display a rendered version of the
repository 'readme' based on its file extension.  In commit 5746cc3b3fa5,
the rendered output was already sanitized when the input was markdown.
However, also readmes written in other formats, like ReStructuredText (RST)
or plain text could have content that we want sanitized.

Therefore, move the sanitizing one level up so it covers all renderers, for
now and the future.

This fixes an XSS issue when a repository readme contains javascript code,
which would be executed when the repository summary page is visited by a
user.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).

diff --git a/kallithea/lib/markup_renderer.py b/kallithea/lib/markup_renderer.py
--- a/kallithea/lib/markup_renderer.py
+++ b/kallithea/lib/markup_renderer.py
@@ -124,7 +124,19 @@ class MarkupRenderer(object):
 
         renderer = self._detect_renderer(source, filename)
         readme_data = renderer(source)
-        return readme_data
+        # Allow most HTML, while preventing XSS issues:
+        # no <script> tags, no onclick attributes, no javascript
+        # "protocol", and also limit styling to prevent defacing.
+        return bleach.clean(readme_data,
+            tags=['a', 'abbr', 'b', 'blockquote', 'br', 'code', 'dd',
+                  'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5',
+                  'h6', 'hr', 'i', 'img', 'li', 'ol', 'p', 'pre', 'span',
+                  'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'th',
+                  'thead', 'tr', 'ul'],
+            attributes=['class', 'id', 'style', 'label', 'title', 'alt', 'href', 'src'],
+            styles=['color'],
+            protocols=['http', 'https', 'mailto'],
+            )
 
     @classmethod
     def plain(cls, source, universal_newline=True):
@@ -162,22 +174,10 @@ class MarkupRenderer(object):
         try:
             if flavored:
                 source = cls._flavored_markdown(source)
-            markdown_html = markdown_mod.markdown(source,
-                                       extensions=['codehilite', 'extra'],
-                                       extension_configs={'codehilite': {'css_class': 'code-highlight'}})
-            # Allow most HTML, while preventing XSS issues:
-            # no <script> tags, no onclick attributes, no javascript
-            # "protocol", and also limit styling to prevent defacing.
-            return bleach.clean(markdown_html,
-                tags=['a', 'abbr', 'b', 'blockquote', 'br', 'code', 'dd',
-                      'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5',
-                      'h6', 'hr', 'i', 'img', 'li', 'ol', 'p', 'pre', 'span',
-                      'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'th',
-                      'thead', 'tr', 'ul'],
-                attributes=['class', 'id', 'style', 'label', 'title', 'alt', 'href', 'src'],
-                styles=['color'],
-                protocols=['http', 'https', 'mailto'],
-                )
+            return markdown_mod.markdown(
+                source,
+                extensions=['codehilite', 'extra'],
+                extension_configs={'codehilite': {'css_class': 'code-highlight'}})
         except Exception:
             log.error(traceback.format_exc())
             if safe: