Merge pull request #1351 from chris34/markup-changes

Markup changes

Author: chris34

ChangeLog.rst

@@ -25,17 +25,14 @@ Inyoka Changelog
    -----------
 
 
-Unreleased AA.BB.CC (2024-MM-DD)
+Unreleased 1.0.0 (2024-10-12)
 =====================
 
 Deployment notes
 ----------------
 
 #. Update requirements
 
-✨ New features
----------------
-
 🏗 Changes
 ----------
 
@@ -47,9 +44,12 @@ Deployment notes
 * Documentation: Now possible to use Markdown
 * Documentation is now published at https://doc.inyokaproject.org/
 * Use Django's view and form for change password
-
-🗑 Deprecations
---------------
+* Restrict user defineable font faces: Only ``[font=Arial]``, ``[font=serif]``, ``[font=sans-serif]`` and ``[font=Courier]`` are allowed
+* Disallow ``<color>`` and ``<font>`` in signatures
+* InyokaMarkup: Extend filtering of control characters
+* InyokaMarkup: Remove empty paragraphs in generated HTML
+* InyokaMarkup: Dont split up long links in HTML-markup (instead rely on CSS)
+* Table of contents: Dont strip long heading text
 
 🔥 Removals
 -----------
@@ -60,12 +60,15 @@ Deployment notes
 --------
 
 * Splittopic form: Fix maximum length for title of new topic
+* Forum posts & Ikhaya comments can now start with a list (space is preserved)
 
 🔒 Security
 -----------
 
 * Add ``SECURITY.md``
 * Update requirements (at least the dependencies ``Django`` include known security fixes)
+* Markup, Edited-/Mod boxes: Escape parameters to prevent HTML injection
+* Templates: Escape more user-controllable variables to prevent HTML injections
 
 0.36.1 (2024-08-06)
 ===================

inyoka/forum/jinja2/forum/edit.html

@@ -20,7 +20,7 @@
 {% if not topic %}
   {% do tmp_crumb.append((_('New topic'), forum|url('newtopic'))) %}
 {% else %}
-  {% do tmp_crumb.append((topic.title, topic|url)) %}
+  {% do tmp_crumb.append((topic.title|e, topic|url)) %}
   {% if post %}
     {% do tmp_crumb.append((_('Edit post'), '')) %}
   {% else %}

inyoka/forum/jinja2/forum/movetopic.html

@@ -13,7 +13,7 @@
 {% for parent in topic.forum.parents|reverse %}
   {% do tmp_crumb.append((parent.name, parent|url)) %}
 {% endfor %}
-{% do tmp_crumb.extend([(topic.forum.name, topic.forum|url), (topic.title, topic|url),
+{% do tmp_crumb.extend([(topic.forum.name, topic.forum|url), (topic.title|e, topic|url),
                         (_('Move'), topic|url('move'))])%}
 {% set BREADCRUMBS = tmp_crumb + BREADCRUMBS|d([]) %}
 

inyoka/forum/jinja2/forum/postlist.html

@@ -13,12 +13,12 @@
 {% from 'macros.html' import render_pagination, render_small_pagination %}
 {% set rendered_pagination = render_pagination(pagination) %}
 
-{% set tmp_crumb = [(username, href('forum', 'author', username|e))] %}
+{% set tmp_crumb = [(username|e, href('forum', 'author', username|e))] %}
 {% if forum %}
     {% do tmp_crumb.append((forum.name, href('forum', 'author', username|e, 'forum', forum.slug))) %}
 {% endif %}
 {% if topic %}
-    {% do tmp_crumb.append((topic.title, href('forum', 'author', username|e, 'topic', topic.slug))) %}
+    {% do tmp_crumb.append((topic.title|e, href('forum', 'author', username|e, 'topic', topic.slug))) %}
 {% endif %}
 
 {% set BREADCRUMBS = tmp_crumb + BREADCRUMBS|d([]) %}

inyoka/forum/jinja2/forum/report.html

@@ -11,7 +11,7 @@
 
 {%- extends 'forum/page.html' %}
 {% set BREADCRUMBS = [(_('Report'), topic|url('report')), (topic.forum.name, topic.forum|url),
-                        (topic.title, topic|url)] + BREADCRUMBS|d([]) %}
+                        (topic.title|e, topic|url)] + BREADCRUMBS|d([]) %}
 
 {% block forum_content %}
   <form action="" method="post" enctype="multipart/form-data" class="new_topic">

inyoka/forum/jinja2/forum/revisions.html

@@ -10,7 +10,7 @@
 #}
 
 {%- extends 'forum/page.html' %}
-{% set BREADCRUMBS = [(post.topic.title, post.topic|url),
+{% set BREADCRUMBS = [(post.topic.title|e, post.topic|url),
                       (_('Old revisions'), post|url('revisions'))] + BREADCRUMBS|d([]) %}
 
 {% block forum_content %}

inyoka/forum/jinja2/forum/splittopic.html

@@ -11,7 +11,7 @@
 {% import 'macros.html' as macros %}
 {% set BREADCRUMBS = [(_('Split topic'), topic|url('split')),
                       (topic.forum.name, topic.forum|url),
-                      (topic.title, topic|url)] + BREADCRUMBS|d([]) %}
+                      (topic.title|e, topic|url)] + BREADCRUMBS|d([]) %}
 
 {% block forum_content %}
   <form action="" method="post" class="new_topic">

inyoka/forum/jinja2/forum/topic.html

@@ -24,7 +24,7 @@
 {% for parent in forum.parents|reverse %}
   {% do tmp_crumb.append((parent.name, parent|url)) %}
 {% endfor %}
-{% do tmp_crumb.extend([(forum.name, forum|url), (topic.title, topic|url)]) %}
+{% do tmp_crumb.extend([(forum.name, forum|url), (name, topic|url)]) %}
 {% set BREADCRUMBS = tmp_crumb + BREADCRUMBS|d([]) %}
 
 {% set rendered_pagination = render_pagination(pagination) %}

inyoka/markup/base.py

@@ -558,12 +558,17 @@ def parse_font(self, stream):
         Returns a `Font` node.
         """
         stream.expect('font_begin')
-        face = stream.expect('font_face').value.strip()
+        face = stream.expect('font_face').value.strip().lower()
+        allowed_font_faces = ('serif', 'sans-serif', 'arial', 'courier')
+        if face not in allowed_font_faces:
+            face = None
+
         children = []
         while stream.current.type != 'font_end':
             children.append(self.parse_node(stream))
         stream.expect('font_end')
-        return nodes.Font([face], children)
+
+        return nodes.Font(face, children)
 
     def parse_mod(self, stream):
         """
@@ -716,7 +721,7 @@ def parse_external_link(self, stream):
 
     def parse_free_link(self, stream):
         """
-        Parses an free link.
+        Parses a free link.
 
         Returns a `Link` node.
         """
@@ -725,7 +730,7 @@ def parse_free_link(self, stream):
             urlsplit(target)
         except ValueError:
             return nodes.Text(target)
-        return nodes.Link(target, shorten=True)
+        return nodes.Link(target)
 
     def parse_ruler(self, stream):
         """

inyoka/markup/lexer.py

@@ -94,9 +94,10 @@ def __init__(self, regexp, token=None, enter=None, silententer=None,
     r'(?:mailto|telnet|s?news|sips?|skype|apt):)'
 )
 
+_control_characters = r'[\x00-\x08\x0B-\x0C\x0E-\x1F\x80-\x9F]'
+
 rules = {
     'everything': ruleset(
-        rule(r'[\x00-\x08\x0B-\x0C\x0E-\x1F]', None),  # ignore control character
         include('block'),
         include('inline'),
         include('links')
@@ -107,6 +108,7 @@ def __init__(self, regexp, token=None, enter=None, silententer=None,
     ),
     'block': ruleset(
         rule('(?m)^##.*?(\n|$)', None),
+        rule(_control_characters, None),  # ignore control character
         rule(r'(?m)^#\s*(.*?)\s*:\s*', bygroups('metadata_key'),
              enter='metadata'),
         rule(r'(?m)^={1,5}\s*', enter='headline'),
@@ -121,6 +123,7 @@ def __init__(self, regexp, token=None, enter=None, silententer=None,
     ),
     'inline': ruleset(
         rule('(?s)<!--.*?-->', None),
+        rule(_control_characters, None),  # ignore control character
         rule("'''", enter='strong'),
         rule("''", enter='emphasized'),
         rule('``', enter='escaped_code'),
@@ -286,6 +289,7 @@ def __init__(self, regexp, token=None, enter=None, silententer=None,
         include('function_call')
     ),
     'parser_data': ruleset(
+        rule(_control_characters, None),  # ignore control character
         rule(r'\}\}\}', leave=1)
     ),
     'pre_data': ruleset(