This commit updates the whitelist we're using for outgoing links from HedgeDoc. Previously, any URI scheme except javascript: could be used as long as it contains two slashes after the scheme (like https://). On the one hand this allowed linking to arbitrary and possibly unsafe URI schemes, on the other hand this breaks some schemes like xmpp: or geo:.
We're now using the list of schemes that can be registered by a browser to be opened. This restricts arbitrary scheme usage but on the other side fixes several other schemes.
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
Because sandbox is whitelist attribute, attacker will be able to create iframe that has more permission than default.
Signed-off-by: RyotaK <49341894+ry0tak@users.noreply.github.com>
Since we are about to release it's time to finally fix our linting. This
patch basically runs eslint --fix and does some further manual fixes.
Also it sets up eslint to fail on every warning on order to make
warnings visable in the CI process.
There should no functional change be introduced.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
We can load the xss functions directly from the library instead of
loading them through the expose loader of webpack, this should simplify
the setup and maybe even improve speed a bit.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
HTML5 provides a wide feature set of useful elements. Since Markdown
usually supports HTML it should be able to use these HTML5 tags as well.
As they were requested by some users and they where checked for being
safe, whitelisting them isn't a problem. To make the experience the same
as on GitHub when it comes to the basic look and feel of the rendered
markdown, some CSS was added to make the summary and the details tag
look like on GitHub.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
