You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2016/06/21 14:31:49 UTC
allura git commit: [#4644] remove all form/input tags from the list
of allowed tags
Repository: allura
Updated Branches:
refs/heads/db/4644 [created] 36d402a30
[#4644] remove all form/input tags from the list of allowed tags
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/36d402a3
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/36d402a3
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/36d402a3
Branch: refs/heads/db/4644
Commit: 36d402a3092b2e9999a02ced7f13d47980d607c8
Parents: d5e71e1
Author: Dave Brondsema <da...@brondsema.net>
Authored: Tue Jun 21 10:30:50 2016 -0400
Committer: Dave Brondsema <da...@brondsema.net>
Committed: Tue Jun 21 10:30:50 2016 -0400
----------------------------------------------------------------------
Allura/allura/lib/app_globals.py | 2 +-
Allura/allura/lib/utils.py | 10 ++++++++++
Allura/allura/tests/test_utils.py | 4 ++++
3 files changed, 15 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/36d402a3/Allura/allura/lib/app_globals.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/app_globals.py b/Allura/allura/lib/app_globals.py
index 7e8e5db..33fa123 100644
--- a/Allura/allura/lib/app_globals.py
+++ b/Allura/allura/lib/app_globals.py
@@ -104,7 +104,7 @@ class ForgeMarkdown(markdown.Markdown):
field_name, artifact.__class__.__name__)
return self.convert(source_text)
- bugfix_rev = 2 # increment this if we need all caches to invalidated (e.g. xss in markdown rendering fixed)
+ bugfix_rev = 3 # increment this if we need all caches to invalidated (e.g. xss in markdown rendering fixed)
md5 = None
# If a cached version exists and it is valid, return it.
if cache.md5 is not None:
http://git-wip-us.apache.org/repos/asf/allura/blob/36d402a3/Allura/allura/lib/utils.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/utils.py b/Allura/allura/lib/utils.py
index 9afd29f..6d05764 100644
--- a/Allura/allura/lib/utils.py
+++ b/Allura/allura/lib/utils.py
@@ -549,6 +549,16 @@ def serve_file(fp, filename, content_type, last_modified=None,
class ForgeHTMLSanitizer(html5lib.sanitizer.HTMLSanitizer):
+ # remove some elements from the sanitizer whitelist
+ # <form> and <input> could be used for a social engineering attack to construct a form
+ # others are just unexpected and confusing, and have no need to be used in markdown
+ _form_elements = ('button', 'datalist', 'fieldset', 'form', 'input', 'label', 'legend', 'meter', 'optgroup',
+ 'option', 'output', 'progress', 'select', 'textarea')
+ _forge_acceptable_elements = [e for e in html5lib.sanitizer.HTMLSanitizer.acceptable_elements
+ if e not in (_form_elements)]
+ allowed_elements = _forge_acceptable_elements \
+ + html5lib.sanitizer.HTMLSanitizer.mathml_elements \
+ + html5lib.sanitizer.HTMLSanitizer.svg_elements
valid_iframe_srcs = ('https://www.youtube.com/embed/', 'https://www.gittip.com/')
http://git-wip-us.apache.org/repos/asf/allura/blob/36d402a3/Allura/allura/tests/test_utils.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/test_utils.py b/Allura/allura/tests/test_utils.py
index 396acfb..fef8373 100644
--- a/Allura/allura/tests/test_utils.py
+++ b/Allura/allura/tests/test_utils.py
@@ -265,6 +265,10 @@ class TestHTMLSanitizer(unittest.TestCase):
assert_equal(
self.simple_tag_list(p), ['div', 'iframe', 'div'])
+ def test_html_sanitizer_form_elements(self):
+ p = utils.ForgeHTMLSanitizer('<p>test</p><form method="post" action="http://localhost/foo.php"><input type=file><input type=text><textarea>asdf</textarea></form>')
+ assert_equal(self.simple_tag_list(p), ['p', 'p'])
+
def test_ip_address():
req = Mock()