mirror of
https://gitea.mueller.network/extern/django-helpdesk.git
synced 2024-12-27 09:08:53 +01:00
Add URL schemes that are allowed within links
Fix bug Stored XSS via markdown Disclosure: https://huntr.dev/bounties/be7f211d-4bfd-44fd-91e8-682329906fbd/
This commit is contained in:
parent
3f245871ac
commit
c54b89f143
@ -56,6 +56,10 @@ def get_markdown(text):
|
||||
if not text:
|
||||
return ""
|
||||
|
||||
schemes = '|'.join(helpdesk_settings.ALLOWED_URL_SCHEMES)
|
||||
pattern = fr'\[(.+)\]\((?!({schemes})).*:(.+)\)'
|
||||
text = re.sub(pattern, '[\\1](\\3)', text, flags=re.IGNORECASE)
|
||||
|
||||
return mark_safe(
|
||||
markdown(
|
||||
text,
|
||||
|
@ -76,7 +76,10 @@ HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE = getattr(settings,
|
||||
'HELPDESK_AUTO_SUBSCRIBE_ON_TICKET_RESPONSE',
|
||||
False)
|
||||
|
||||
|
||||
# URL schemes that are allowed within links
|
||||
ALLOWED_URL_SCHEMES = getattr(settings, 'ALLOWED_URL_SCHEMES', (
|
||||
'file', 'ftp', 'ftps', 'http', 'https', 'irc', 'mailto', 'sftp', 'ssh', 'tel', 'telnet', 'tftp', 'vnc', 'xmpp',
|
||||
))
|
||||
############################
|
||||
# options for public pages #
|
||||
############################
|
||||
|
Loading…
Reference in New Issue
Block a user