Allow render HTML with css/js external links #19017
Conversation
lunny
force-pushed
the
lunny/render_iframe
branch
from
d363a7f
to
2f4b6cb
Compare
There was a problem hiding this comment.
I'm concerned with this PR because someone could link to /user/repo/render/.... and have XSS execute. I know that they chose to do this by disabling SANITIZER, but this seems especially dangerous. If merged, we should at least create a big warning in docs, and perhaps in admin saying the config is insecure.
GiteaBot
added
the
lgtm/need 2
Warning added in the docs. |
|
Could we use Content Security Policy headers to prevent any XSS? |
lunny
force-pushed
the
lunny/render_iframe
branch
from
ffb905f
to
1a908ce
Compare
Done. |
lunny
force-pushed
the
lunny/render_iframe
branch
from
447316b
to
c3bfd5b
Compare
Co-authored-by: delvh <dev.lh@web.de>
GiteaBot
added
lgtm/need 1
So it is not breaking for users who are on a stable version, which should be almost everyone. |
If that, we need a migration and deprecated warning in setting. |
|
Beside the option, still one more thing (sorry for bothering ...) Now the iframe is using
update: fixed. |
|
#19017 (comment): If we allow that, we have an obvious and unintended privilege escalation. |
Only |
|
OK, all fixed. Now the iframe is protected by browser's same-origin policy. @techknowlogick
Refer: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox If this token (allow-same-origin) is not used, the resource is treated as being from a special origin that always fails the same-origin policy (potentially preventing access to data storage/cookies and some JavaScript APIs). |
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Codecov Report
@@ Coverage Diff @@
## main #19017 +/- ##
==========================================
- Coverage 47.36% 47.18% -0.19%
==========================================
Files 967 968 +1
Lines 134131 134224 +93
==========================================
- Hits 63530 63332 -198
- Misses 62876 63178 +302
+ Partials 7725 7714 -11
Continue to review full report at Codecov.
|
* giteaofficial/main: Allow render HTML with css/js external links (go-gitea#19017) Use correct count for `NumOpenIssues` (go-gitea#19980) In code search, get code unit accessible repos in one (main) query (go-gitea#19764) [skip ci] Updated translations via Crowdin Always try to fetch repo for mirrors (go-gitea#19975) Remove tab/TabName usage where it's not needed (go-gitea#19973) Fix cli command restore-repo: "units" should be parsed as StringSlice (go-gitea#19953) Uppercase first languages letters (go-gitea#19965) Move tests as seperate sub packages to reduce duplicated file names (go-gitea#19951) Replace unstyled meter with progress (go-gitea#19968) [skip ci] Updated translations via Crowdin [skip ci] Updated translations via Crowdin Remove singuliere from MAINTAINERS (go-gitea#19883) Fix aria for logo (go-gitea#19955) Fix mirror template bug (go-gitea#19959)
* Allow render HTML with css/js external links * Fix bug because of filename escape chars * Fix lint * Update docs about new configuration item * Fix bug of render HTML in sub directory * Add CSP head for displaying iframe in rendering file * Fix test * Apply suggestions from code review Co-authored-by: delvh <dev.lh@web.de> * Some improvements * some improvement * revert change in SanitizerDisabled of external renderer * Add sandbox for iframe and support allow-scripts and allow-same-origin * refactor * fix * fix lint * fine tune * use single option RENDER_CONTENT_MODE, use sandbox=allow-scripts * fine tune CSP * Apply suggestions from code review Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
* Allow render HTML with css/js external links * Fix bug because of filename escape chars * Fix lint * Update docs about new configuration item * Fix bug of render HTML in sub directory * Add CSP head for displaying iframe in rendering file * Fix test * Apply suggestions from code review Co-authored-by: delvh <dev.lh@web.de> * Some improvements * some improvement * revert change in SanitizerDisabled of external renderer * Add sandbox for iframe and support allow-scripts and allow-same-origin * refactor * fix * fix lint * fine tune * use single option RENDER_CONTENT_MODE, use sandbox=allow-scripts * fine tune CSP * Apply suggestions from code review Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: delvh <dev.lh@web.de> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
It was always attempted to read the file to be rendered as UTF-8. The encoding was determined heuristically, regardless of the file type. Sometimes binary files were not recognized as binary. Renderers of binary formats were then fed with corrupted data: binary stream treated as text and encoded in UTF-8. Only apply heuristics for textual formats, read other formats as-is. Fixes: b01dce2 ("Allow render HTML with css/js external links (go-gitea#19017)") Cc: xiaolunwen@gmail.com Signed-off-by: Dmitry Kozlyuk <dmitry.kozliuk@gmail.com>
This PR allows to render some HTMLs which has
<style>,<script>tags whenSANITIZERdisabled. This also makes it simpler when configuring some external renderers.