Files @ e74aa69f6827
Branch filter:

Location: kallithea/docs/theme/nature/static/kallithea-logo.svg

e74aa69f6827 4.4 KiB image/svg+xml Show Annotation Show as Raw Download as Raw
Thomas De Schampheleire
lib: sanitize HTML for all types of README rendering, not only markdown

The repository summary page will display a rendered version of the
repository 'readme' based on its file extension. In commit 5746cc3b3fa5,
the rendered output was already sanitized when the input was markdown.
However, also readmes written in other formats, like ReStructuredText (RST)
or plain text could have content that we want sanitized.

Therefore, move the sanitizing one level up so it covers all renderers, for
now and the future.

This fixes an XSS issue when a repository readme contains javascript code,
which would be executed when the repository summary page is visited by a
user.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns="http://www.w3.org/2000/svg" xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" enable-background="new 0 0 163 30" xml:space="preserve" height="30" viewBox="0 0 140 30" width="140" version="1.1" y="0px" x="0px">
  <metadata>
    <rdf:RDF>
      <cc:Work rdf:about="">
        <dc:format>image/svg+xml</dc:format>
        <dc:type rdf:resource="http://purl.org/dc/dcmitype/StillImage"/>
        <dc:title/>
      </cc:Work>
    </rdf:RDF>
  </metadata>
  <g display="none">
    <rect display="inline" height="163" width="256" y="-66.5" x="-24" fill="#404c2c"/>
  </g>
  <g transform="matrix(.83 0 0 1 5.6391 0)">
      <g fill="#b1d579">
        <path d="m26.04 25.875v-20.64l5.451-0.473v21.113h-5.451zm17.215 0h-6.141l-5.451-8.066 5.589-6.704h5.555l-5.555 6.481 6.003 8.289z"/>
        <path d="m58.951 21.592c0 1.141 0.379 1.557 1.242 1.809l-1.138 2.865c-2.174-0.141-3.588-0.668-4.416-2.143-1.311 1.641-3.347 2.225-5.52 2.225-3.657 0-5.969-1.918-5.969-4.617 0-3.227 3.036-4.979 8.59-4.979h1.863v-0.641c0-1.751-0.862-2.28-3.105-2.28-1.173 0-2.967 0.278-4.795 0.779l-1.242-2.893c2.312-0.695 4.83-1.085 6.9-1.085 5.313 0 7.59 1.808 7.59 5.229v5.731zm-5.347 0.194v-2.614h-1.346c-2.484 0-3.691 0.695-3.691 2.169 0 1.169 0.793 1.864 2.139 1.864 1.276 0 2.242-0.529 2.898-1.419z"/>
        <path d="m68.057 21.73c0 0.834 0.345 1.141 0.932 1.141 0.276 0 0.655-0.057 0.897-0.139l1.069 3.115c-0.931 0.305-2.242 0.5-3.519 0.5-3.036 0-4.83-1.447-4.83-4.173v-16.939l5.451-0.473v16.968z"/>
        <path d="m77.785 21.73c0 0.834 0.345 1.141 0.932 1.141 0.276 0 0.655-0.057 0.897-0.139l1.069 3.115c-0.931 0.305-2.242 0.5-3.519 0.5-3.036 0-4.83-1.447-4.83-4.173v-16.939l5.451-0.473v16.968z"/>
        <path d="m88.169 5.819c0 1.418-1.346 2.503-3.243 2.503-1.896 0-3.208-1.085-3.208-2.503 0-1.419 1.312-2.504 3.208-2.504 1.897 0 3.243 1.085 3.243 2.504zm-5.935 20.056v-14.771h5.451v14.771h-5.451z"/>
        <path d="m102.93 25.18c-1.379 0.779-3.312 1.168-4.968 1.168-4.036-0.027-6.003-1.863-6.003-5.341v-6.843h-2.588v-3.06h2.588v-3.199l5.451-0.5v3.7h4.209l-0.587 3.06h-3.622v6.787c0 1.419 0.586 1.92 1.725 1.92 0.621 0 1.242-0.14 1.967-0.501l1.828 2.809z"/>
        <path d="m120.04 15.082v10.793h-5.45v-10.042c0-1.558-0.691-1.975-1.726-1.975-1.208 0-2.208 0.695-3.175 1.892v10.125h-5.45v-20.64l5.45-0.445v7.9c1.483-1.363 3.141-2.059 5.279-2.059 3.174 0 5.072 1.641 5.072 4.451z"/>
        <path d="m139.5 19.783h-11.35c0.379 2.643 1.932 3.365 4.174 3.365 1.484 0 2.795-0.416 4.382-1.308l2.243 2.447c-1.829 1.168-4.176 2.06-7.143 2.06-6.105 0-9.211-3.172-9.211-7.789 0-4.422 3.002-7.928 8.557-7.928 5.242 0 8.451 2.782 8.451 7.566 0.001 0.474-0.033 1.142-0.102 1.587zm-5.244-2.838c-0.034-2.002-0.794-3.394-2.968-3.394-1.793 0-2.896 0.946-3.139 3.589h6.105l0.002-0.195z"/>
        <path d="m156.78 21.592c0 1.141 0.379 1.557 1.242 1.809l-1.139 2.865c-2.175-0.141-3.589-0.668-4.416-2.143-1.312 1.641-3.348 2.225-5.521 2.225-3.658 0-5.97-1.918-5.97-4.617 0-3.227 3.035-4.979 8.59-4.979h1.863v-0.641c0-1.751-0.861-2.28-3.104-2.28-1.172 0-2.968 0.278-4.795 0.779l-1.242-2.893c2.312-0.695 4.83-1.085 6.899-1.085 5.312 0 7.591 1.808 7.591 5.229l0.002 5.731zm-5.347 0.194v-2.614h-1.346c-2.484 0-3.691 0.695-3.691 2.169 0 1.169 0.793 1.864 2.14 1.864 1.275 0 2.24-0.529 2.897-1.419z"/>
      </g>
  </g>
  <g fill="#b1d579">
      <path d="m8.155 18.736c-0.086-0.21-0.048-0.579-0.048-0.579l-0.097-8.098h-1.149l0.098 8.398s-0.034 0.455 0.091 0.709c0.125 0.255 0.413 0.599 0.413 0.599l3.491 3.384s0.107 0.122 0.292 0.486l0.001-1.876-2.884-2.702c0 0.002-0.122-0.11-0.208-0.321z"/>
      <path d="m19.362 23.255c0.088-0.331 0.089-0.608 0.089-0.608l-0.01-2.976h-1.237v3.082s-0.007 0.113-0.069 0.254c-0.063 0.142-0.091 0.173-0.091 0.173l-2.319 2.395h1.569l1.768-1.832c0.001-0.001 0.217-0.17 0.3-0.488z"/>
      <path d="m12.905 15.81c0.18-0.288 0.437-0.463 0.437-0.463l2.998-3.073s0.511-0.461 0.622-0.782c0.108-0.321 0.045-1.436 0.045-1.436l-0.111-6.44h-1.491l0.077 6.441s0.062 0.514 0 0.726-0.294 0.481-0.294 0.481l-3.137 3.212s-0.638 0.705-0.743 0.934c-0.104 0.228-0.057 1.347-0.057 1.347l-0.003 5.005-0.001 1.876-0.002 1.938h1.479l0.051-8.819c-0.002-0.001-0.048-0.66 0.13-0.947z"/>
  </g>
  <g stroke="#b1d579" fill="none" stroke-miterlimit="10">
      <circle cx="18.723" cy="17.973" r="1.698" stroke-width="1.4318"/>
      <circle cx="7.454" cy="7.291" r="2.769" stroke-width="1.7898"/>
  </g>
</svg>
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.