Roundup Tracker - Issues

Message7019

Author rouilj
Recipients rouilj
Date 2020-10-31.19:21:59
Message-id <1604172119.3.0.825477740147.issue2551099@roundup.psfhosted.org>
In-reply-to 
Data url's can be abused similar to javascript url's.

Disable them, display straight text when entered using markdown.

User should be able to re-enable on a tracker by modifying
_disable_url_schemes in templating.py from interfaces.py.

Ref:
https://resources.infosecinstitute.com/topic/phishing-with-data-uri/

https://blog.mozilla.org/security/2017/11/27/blocking-top-level-
navigations-data-urls-firefox-59/

https://en.wikipedia.org/wiki/Data_URI_scheme#Malware_and_phishing
History
Date User Action Args
2020-10-31 19:21:59rouiljsetrecipients: + rouilj
2020-10-31 19:21:59rouiljsetmessageid: <1604172119.3.0.825477740147.issue2551099@roundup.psfhosted.org>
2020-10-31 19:21:59rouiljlinkissue2551099 messages
2020-10-31 19:21:59rouiljcreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020