Issue 2551099: Handle data: schema like javascript: schema in markdown - Roundup tracker

classification

Title:	Handle data: schema like javascript: schema in markdown
Type:	behavior	Severity:	normal
Components:		Versions:

process

Status:	fixed	Resolution:	fixed
Dependencies		Superseder:
Assigned To:	rouilj	Nosy List:	rouilj
Priority:	normal	Keywords:	Effort-Low

Created on 2020-10-31 19:21 by rouilj, last changed 2020-11-01 01:47 by rouilj.

Messages
msg7019	Author: [hidden] (rouilj)	Date: 2020-10-31 19:21
Data url's can be abused similar to javascript url's. Disable them, display straight text when entered using markdown. User should be able to re-enable on a tracker by modifying _disable_url_schemes in templating.py from interfaces.py. Ref: https://resources.infosecinstitute.com/topic/phishing-with-data-uri/ https://blog.mozilla.org/security/2017/11/27/blocking-top-level- navigations-data-urls-firefox-59/ https://en.wikipedia.org/wiki/Data_URI_scheme#Malware_and_phishing
msg7020	Author: [hidden] (rouilj)	Date: 2020-11-01 01:47
Disabled data url's in rev 6284:3f7538316724.

History
Date	User	Action	Args
2020-11-01 01:47:05	rouilj	set	status: new -> fixed resolution: fixed messages: + msg7020
2020-10-31 19:21:59	rouilj	create