Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alllow all schemes in markdown by default #21146

Closed
tobiasBora opened this issue Sep 12, 2022 · 6 comments · Fixed by #24805
Closed

Alllow all schemes in markdown by default #21146

tobiasBora opened this issue Sep 12, 2022 · 6 comments · Fixed by #24805
Labels
outdated/theme/markdown type/enhancement An improvement of existing functionality

Comments

@tobiasBora
Copy link

tobiasBora commented Sep 12, 2022
edited

Description

Using the main intance https://gitea.com I am unable to insert non-http emails. In particular I am interested to add links to my emails (I use the tool only internally) provided by the https://camiel.bouchier.be/en/cb_thunderlink extension. Unfortunately links like cbthunderlink://somebase64string are not clickable, even if I explicitely use the longer url notation:

See you can't click me [cbthunderlink://somebase64string](cbthunderlink://somebase64string)

Gitea Version

1.18.0+dev-333-g9e0c43777

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

image

image

Git Version

No response

Operating System

No response

How are you running Gitea?

Using the instance from https://gitea.com

Database

No response
@wxiaoguang
Copy link
Contributor

There is an config option. markdown.CUSTOM_URL_SCHEMES

@wxiaoguang wxiaoguang added issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail and removed type/bug labels Sep 12, 2022
@tobiasBora
Copy link
Author

tobiasBora commented Sep 12, 2022
edited

Hum good to know thanks… but I guess it will not work if I do not own the server (which is my case)… Is there any security reason for this limitation?

@wxiaoguang
Copy link
Contributor

I believe security is the main concern (although it's not designed by me).

Some schemes/protocols could lead to security problem.

@tobiasBora
Copy link
Author

I'm not sure to understand how security would be impacted: I guess that it is always possible for an attacker to put an https link that points to, e.g. tinyurl and then put there a redirection to the url using the malicious protocol. In my opinion, it is the role of the browser to protect against malicious protocols (and to some extend it is the case, for instance firefox will ask you which program to call when you use a zoom link), not websites.

@wxiaoguang
Copy link
Contributor

I would agree with you if there is no more security concern. The code is as old as year 2014 and 2016

3a9fd81
a4cbe79

@wxiaoguang wxiaoguang added type/enhancement An improvement of existing functionality and removed issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail labels Sep 12, 2022
@wxiaoguang wxiaoguang changed the title Non http links are not clickable (cbthunderlink) Alllow all schemes in markdown by default Sep 12, 2022
@tobiasBora
Copy link
Author

Ok perfect then!

This was referenced May 13, 2023
Closed
Merged
silverwind pushed a commit that referenced this issue May 19, 2023
@yardenshoham @GiteaBot
Allow all URL schemes in Markdown links by default (#24805)
f5ce2ed 
- Closes #21146
- Closes #16721

## ⚠️ BREAKING ⚠️
This changes the default behavior to now create links for any URL scheme
when the user uses the markdown form for links (`[label](URL)`), this
doesn't affect the rendering of inline links. To opt-out set the
`markdown.CUSTOM_URL_SCHEMES` setting to a list of allowed schemes, all
other schemes (except `http` and `https`) won't be allowed.

# Before

![image](https://github.com/go-gitea/gitea/assets/20454870/35fa18ce-7dda-4995-b5b3-3f360f38296d)

# After

![image](https://github.com/go-gitea/gitea/assets/20454870/0922216b-0b35-4b77-9919-21a5c21dd5d0)

---------

Signed-off-by: Yarden Shoham <git@yardenshoham.com>
Co-authored-by: Giteabot <teabot@gitea.io>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 4, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
outdated/theme/markdown type/enhancement An improvement of existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow all URL schemes in Markdown links by default yardenshoham/gitea
3 participants
@lunny @wxiaoguang @tobiasBora