Skip to content

Commit 48cf8d5

Browse files
authored
Merge pull request #1351 from chris34/markup-changes
Markup changes
2 parents 2cd2248 + 0485150 commit 48cf8d5

File tree

23 files changed

+369
-257
lines changed

23 files changed

+369
-257
lines changed

ChangeLog.rst

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -25,17 +25,14 @@ Inyoka Changelog
2525
-----------
2626

2727

28-
Unreleased AA.BB.CC (2024-MM-DD)
28+
Unreleased 1.0.0 (2024-10-12)
2929
=====================
3030

3131
Deployment notes
3232
----------------
3333

3434
#. Update requirements
3535

36-
✨ New features
37-
---------------
38-
3936
🏗 Changes
4037
----------
4138

@@ -47,9 +44,12 @@ Deployment notes
4744
* Documentation: Now possible to use Markdown
4845
* Documentation is now published at https://doc.inyokaproject.org/
4946
* Use Django's view and form for change password
50-
51-
🗑 Deprecations
52-
--------------
47+
* Restrict user defineable font faces: Only ``[font=Arial]``, ``[font=serif]``, ``[font=sans-serif]`` and ``[font=Courier]`` are allowed
48+
* Disallow ``<color>`` and ``<font>`` in signatures
49+
* InyokaMarkup: Extend filtering of control characters
50+
* InyokaMarkup: Remove empty paragraphs in generated HTML
51+
* InyokaMarkup: Dont split up long links in HTML-markup (instead rely on CSS)
52+
* Table of contents: Dont strip long heading text
5353

5454
🔥 Removals
5555
-----------
@@ -60,12 +60,15 @@ Deployment notes
6060
--------
6161

6262
* Splittopic form: Fix maximum length for title of new topic
63+
* Forum posts & Ikhaya comments can now start with a list (space is preserved)
6364

6465
🔒 Security
6566
-----------
6667

6768
* Add ``SECURITY.md``
6869
* Update requirements (at least the dependencies ``Django`` include known security fixes)
70+
* Markup, Edited-/Mod boxes: Escape parameters to prevent HTML injection
71+
* Templates: Escape more user-controllable variables to prevent HTML injections
6972

7073
0.36.1 (2024-08-06)
7174
===================

inyoka/forum/jinja2/forum/edit.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@
2020
{% if not topic %}
2121
{% do tmp_crumb.append((_('New topic'), forum|url('newtopic'))) %}
2222
{% else %}
23-
{% do tmp_crumb.append((topic.title, topic|url)) %}
23+
{% do tmp_crumb.append((topic.title|e, topic|url)) %}
2424
{% if post %}
2525
{% do tmp_crumb.append((_('Edit post'), '')) %}
2626
{% else %}

inyoka/forum/jinja2/forum/movetopic.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
{% for parent in topic.forum.parents|reverse %}
1414
{% do tmp_crumb.append((parent.name, parent|url)) %}
1515
{% endfor %}
16-
{% do tmp_crumb.extend([(topic.forum.name, topic.forum|url), (topic.title, topic|url),
16+
{% do tmp_crumb.extend([(topic.forum.name, topic.forum|url), (topic.title|e, topic|url),
1717
(_('Move'), topic|url('move'))])%}
1818
{% set BREADCRUMBS = tmp_crumb + BREADCRUMBS|d([]) %}
1919

inyoka/forum/jinja2/forum/postlist.html

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,12 @@
1313
{% from 'macros.html' import render_pagination, render_small_pagination %}
1414
{% set rendered_pagination = render_pagination(pagination) %}
1515

16-
{% set tmp_crumb = [(username, href('forum', 'author', username|e))] %}
16+
{% set tmp_crumb = [(username|e, href('forum', 'author', username|e))] %}
1717
{% if forum %}
1818
{% do tmp_crumb.append((forum.name, href('forum', 'author', username|e, 'forum', forum.slug))) %}
1919
{% endif %}
2020
{% if topic %}
21-
{% do tmp_crumb.append((topic.title, href('forum', 'author', username|e, 'topic', topic.slug))) %}
21+
{% do tmp_crumb.append((topic.title|e, href('forum', 'author', username|e, 'topic', topic.slug))) %}
2222
{% endif %}
2323

2424
{% set BREADCRUMBS = tmp_crumb + BREADCRUMBS|d([]) %}

inyoka/forum/jinja2/forum/report.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111

1212
{%- extends 'forum/page.html' %}
1313
{% set BREADCRUMBS = [(_('Report'), topic|url('report')), (topic.forum.name, topic.forum|url),
14-
(topic.title, topic|url)] + BREADCRUMBS|d([]) %}
14+
(topic.title|e, topic|url)] + BREADCRUMBS|d([]) %}
1515

1616
{% block forum_content %}
1717
<form action="" method="post" enctype="multipart/form-data" class="new_topic">

inyoka/forum/jinja2/forum/revisions.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
#}
1111

1212
{%- extends 'forum/page.html' %}
13-
{% set BREADCRUMBS = [(post.topic.title, post.topic|url),
13+
{% set BREADCRUMBS = [(post.topic.title|e, post.topic|url),
1414
(_('Old revisions'), post|url('revisions'))] + BREADCRUMBS|d([]) %}
1515

1616
{% block forum_content %}

inyoka/forum/jinja2/forum/splittopic.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
{% import 'macros.html' as macros %}
1212
{% set BREADCRUMBS = [(_('Split topic'), topic|url('split')),
1313
(topic.forum.name, topic.forum|url),
14-
(topic.title, topic|url)] + BREADCRUMBS|d([]) %}
14+
(topic.title|e, topic|url)] + BREADCRUMBS|d([]) %}
1515

1616
{% block forum_content %}
1717
<form action="" method="post" class="new_topic">

inyoka/forum/jinja2/forum/topic.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@
2424
{% for parent in forum.parents|reverse %}
2525
{% do tmp_crumb.append((parent.name, parent|url)) %}
2626
{% endfor %}
27-
{% do tmp_crumb.extend([(forum.name, forum|url), (topic.title, topic|url)]) %}
27+
{% do tmp_crumb.extend([(forum.name, forum|url), (name, topic|url)]) %}
2828
{% set BREADCRUMBS = tmp_crumb + BREADCRUMBS|d([]) %}
2929

3030
{% set rendered_pagination = render_pagination(pagination) %}

inyoka/markup/base.py

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -558,12 +558,17 @@ def parse_font(self, stream):
558558
Returns a `Font` node.
559559
"""
560560
stream.expect('font_begin')
561-
face = stream.expect('font_face').value.strip()
561+
face = stream.expect('font_face').value.strip().lower()
562+
allowed_font_faces = ('serif', 'sans-serif', 'arial', 'courier')
563+
if face not in allowed_font_faces:
564+
face = None
565+
562566
children = []
563567
while stream.current.type != 'font_end':
564568
children.append(self.parse_node(stream))
565569
stream.expect('font_end')
566-
return nodes.Font([face], children)
570+
571+
return nodes.Font(face, children)
567572

568573
def parse_mod(self, stream):
569574
"""
@@ -716,7 +721,7 @@ def parse_external_link(self, stream):
716721

717722
def parse_free_link(self, stream):
718723
"""
719-
Parses an free link.
724+
Parses a free link.
720725
721726
Returns a `Link` node.
722727
"""
@@ -725,7 +730,7 @@ def parse_free_link(self, stream):
725730
urlsplit(target)
726731
except ValueError:
727732
return nodes.Text(target)
728-
return nodes.Link(target, shorten=True)
733+
return nodes.Link(target)
729734

730735
def parse_ruler(self, stream):
731736
"""

inyoka/markup/lexer.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -94,9 +94,10 @@ def __init__(self, regexp, token=None, enter=None, silententer=None,
9494
r'(?:mailto|telnet|s?news|sips?|skype|apt):)'
9595
)
9696

97+
_control_characters = r'[\x00-\x08\x0B-\x0C\x0E-\x1F\x80-\x9F]'
98+
9799
rules = {
98100
'everything': ruleset(
99-
rule(r'[\x00-\x08\x0B-\x0C\x0E-\x1F]', None), # ignore control character
100101
include('block'),
101102
include('inline'),
102103
include('links')
@@ -107,6 +108,7 @@ def __init__(self, regexp, token=None, enter=None, silententer=None,
107108
),
108109
'block': ruleset(
109110
rule('(?m)^##.*?(\n|$)', None),
111+
rule(_control_characters, None), # ignore control character
110112
rule(r'(?m)^#\s*(.*?)\s*:\s*', bygroups('metadata_key'),
111113
enter='metadata'),
112114
rule(r'(?m)^={1,5}\s*', enter='headline'),
@@ -121,6 +123,7 @@ def __init__(self, regexp, token=None, enter=None, silententer=None,
121123
),
122124
'inline': ruleset(
123125
rule('(?s)<!--.*?-->', None),
126+
rule(_control_characters, None), # ignore control character
124127
rule("'''", enter='strong'),
125128
rule("''", enter='emphasized'),
126129
rule('``', enter='escaped_code'),
@@ -286,6 +289,7 @@ def __init__(self, regexp, token=None, enter=None, silententer=None,
286289
include('function_call')
287290
),
288291
'parser_data': ruleset(
292+
rule(_control_characters, None), # ignore control character
289293
rule(r'\}\}\}', leave=1)
290294
),
291295
'pre_data': ruleset(

0 commit comments

Comments
 (0)