remove support for javascript: URLs in the rst parser (dangerous, XSS)
authorThomas Waldmann <tw AT waldmann-edv DOT de>
Mon, 21 Feb 2011 22:19:57 +0100
changeset 576397208f67798f
parent 5762 b1b82826f8b8
child 5764 67ddd66d5428
remove support for javascript: URLs in the rst parser (dangerous, XSS)
MoinMoin/parser/text_rst.py
     1.1 --- a/MoinMoin/parser/text_rst.py	Thu Jan 20 13:34:33 2011 +0100
     1.2 +++ b/MoinMoin/parser/text_rst.py	Mon Feb 21 22:19:57 2011 +0100
     1.3 @@ -391,6 +391,9 @@
     1.4                  # for images with targets).
     1.5                  if not [i for i in node.children if i.__class__ == docutils.nodes.image]:
     1.6                      node['classes'].append('interwiki')
     1.7 +            elif prefix == 'javascript':
     1.8 +                # is someone trying to do XSS with javascript?
     1.9 +                node['refuri'] = 'javascript:alert("it does not work")'
    1.10              elif prefix != '':
    1.11                  # Some link scheme (http, file, https, mailto, etc.), add class
    1.12                  # information if the reference doesn't have a child image (don't