From 91bbc452a5d7e9ef7eeddbe7bbb40d9b17a42b71 Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Tue, 18 Jul 2023 10:29:53 +0000
Subject: [PATCH 1/4] Disallow dangerous url schemes.

---
 go.mod                           | 2 +-
 go.sum                           | 2 ++
 modules/markup/sanitizer.go      | 9 +++++++++
 modules/markup/sanitizer_test.go | 9 +++++++--
 4 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 99b25a2619435..6cd8aabd5383e 100644
--- a/go.mod
+++ b/go.mod
@@ -76,7 +76,7 @@ require (
 	github.com/mattn/go-sqlite3 v1.14.17
 	github.com/meilisearch/meilisearch-go v0.25.0
 	github.com/mholt/archiver/v3 v3.5.1
-	github.com/microcosm-cc/bluemonday v1.0.24
+	github.com/microcosm-cc/bluemonday v1.0.25-0.20230718093958-84e9ab41bc57
 	github.com/minio/minio-go/v7 v7.0.60
 	github.com/minio/sha256-simd v1.0.1
 	github.com/msteinert/pam v1.1.0
diff --git a/go.sum b/go.sum
index a2568460f105f..64d6234ac097c 100644
--- a/go.sum
+++ b/go.sum
@@ -867,6 +867,8 @@ github.com/mholt/archiver/v3 v3.5.1 h1:rDjOBX9JSF5BvoJGvjqK479aL70qh9DIpZCl+k7Cl
 github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4=
 github.com/microcosm-cc/bluemonday v1.0.24 h1:NGQoPtwGVcbGkKfvyYk1yRqknzBuoMiUrO6R7uFTPlw=
 github.com/microcosm-cc/bluemonday v1.0.24/go.mod h1:ArQySAMps0790cHSkdPEJ7bGkF2VePWH773hsJNSHf8=
+github.com/microcosm-cc/bluemonday v1.0.25-0.20230718093958-84e9ab41bc57 h1:UAolUtPyM8Xp4kdvy+KUDYPfyhfiVeBvAL2Q2EeL2LA=
+github.com/microcosm-cc/bluemonday v1.0.25-0.20230718093958-84e9ab41bc57/go.mod h1:xuxNNQCTtuLIdD84E4WN6MOlWp3V4wrfaMKyyfQezaU=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
 github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go
index 59cde61a68167..7704df5c53b8a 100644
--- a/modules/markup/sanitizer.go
+++ b/modules/markup/sanitizer.go
@@ -6,6 +6,7 @@ package markup
 
 import (
 	"io"
+	"net/url"
 	"regexp"
 	"sync"
 
@@ -79,6 +80,14 @@ func createDefaultPolicy() *bluemonday.Policy {
 		policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...)
 	} else {
 		policy.AllowURLSchemesMatching(allowAllRegex)
+
+		// Even if every scheme is allowed, these three are blocked
+		disallowScheme := func(*url.URL) bool {
+			return false
+		}
+		policy.AllowURLSchemeWithCustomPolicy("javascript", disallowScheme)
+		policy.AllowURLSchemeWithCustomPolicy("vbscript", disallowScheme)
+		policy.AllowURLSchemeWithCustomPolicy("data", disallowScheme)
 	}
 
 	// Allow classes for anchors
diff --git a/modules/markup/sanitizer_test.go b/modules/markup/sanitizer_test.go
index 0c22ce3ba0e78..4d85cbf9f303b 100644
--- a/modules/markup/sanitizer_test.go
+++ b/modules/markup/sanitizer_test.go
@@ -54,8 +54,13 @@ func Test_Sanitizer(t *testing.T) {
 		`<code style="bad-color: red">Hello World</code>`, `<code>Hello World</code>`,
 
 		// URLs
-		`[my custom URL scheme](cbthunderlink://somebase64string)`, `[my custom URL scheme](cbthunderlink://somebase64string)`,
-		`[my custom URL scheme](matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join)`, `[my custom URL scheme](matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join)`,
+		`<a href="cbthunderlink://somebase64string)">my custom URL scheme</a>`, `<a href="cbthunderlink://somebase64string)" rel="nofollow">my custom URL scheme</a>`,
+		`<a href="matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join">my custom URL scheme</a>`, `<a href="matrix:roomid/psumPMeAfzgAeQpXMG:feneas.org?action=join" rel="nofollow">my custom URL scheme</a>`,
+
+		// Disallow dangerous url schemes
+		`<a href="javascript:alert('xss')">bad</a>`, `bad`,
+		`<a href="vbscript:no">bad</a>`, `bad`,
+		`<a href="data:1234">bad</a>`, `bad`,
 	}
 
 	for i := 0; i < len(testCases); i += 2 {

From 6b1803fba93ecf3835e0f2810ba382381923de58 Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Tue, 18 Jul 2023 11:36:27 +0000
Subject: [PATCH 2/4] Update bluemonday.

---
 go.mod | 2 +-
 go.sum | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 6cd8aabd5383e..9ba54ed185487 100644
--- a/go.mod
+++ b/go.mod
@@ -76,7 +76,7 @@ require (
 	github.com/mattn/go-sqlite3 v1.14.17
 	github.com/meilisearch/meilisearch-go v0.25.0
 	github.com/mholt/archiver/v3 v3.5.1
-	github.com/microcosm-cc/bluemonday v1.0.25-0.20230718093958-84e9ab41bc57
+	github.com/microcosm-cc/bluemonday v1.0.25
 	github.com/minio/minio-go/v7 v7.0.60
 	github.com/minio/sha256-simd v1.0.1
 	github.com/msteinert/pam v1.1.0
diff --git a/go.sum b/go.sum
index 64d6234ac097c..3eb563e88c667 100644
--- a/go.sum
+++ b/go.sum
@@ -869,6 +869,8 @@ github.com/microcosm-cc/bluemonday v1.0.24 h1:NGQoPtwGVcbGkKfvyYk1yRqknzBuoMiUrO
 github.com/microcosm-cc/bluemonday v1.0.24/go.mod h1:ArQySAMps0790cHSkdPEJ7bGkF2VePWH773hsJNSHf8=
 github.com/microcosm-cc/bluemonday v1.0.25-0.20230718093958-84e9ab41bc57 h1:UAolUtPyM8Xp4kdvy+KUDYPfyhfiVeBvAL2Q2EeL2LA=
 github.com/microcosm-cc/bluemonday v1.0.25-0.20230718093958-84e9ab41bc57/go.mod h1:xuxNNQCTtuLIdD84E4WN6MOlWp3V4wrfaMKyyfQezaU=
+github.com/microcosm-cc/bluemonday v1.0.25 h1:4NEwSfiJ+Wva0VxN5B8OwMicaJvD8r9tlJWm9rtloEg=
+github.com/microcosm-cc/bluemonday v1.0.25/go.mod h1:ZIOjCQp1OrzBBPIJmfX4qDYFuhU02nx4bn030ixfHLE=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
 github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=

From 07118f52d989cbf3cefd33af112055520a461df5 Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Tue, 18 Jul 2023 12:20:14 +0000
Subject: [PATCH 3/4] tidy

---
 go.sum | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/go.sum b/go.sum
index 3eb563e88c667..5f2704fddbdeb 100644
--- a/go.sum
+++ b/go.sum
@@ -865,10 +865,6 @@ github.com/mholt/acmez v1.2.0 h1:1hhLxSgY5FvH5HCnGUuwbKY2VQVo8IU7rxXKSnZ7F30=
 github.com/mholt/acmez v1.2.0/go.mod h1:VT9YwH1xgNX1kmYY89gY8xPJC84BFAisjo8Egigt4kE=
 github.com/mholt/archiver/v3 v3.5.1 h1:rDjOBX9JSF5BvoJGvjqK479aL70qh9DIpZCl+k7Clwo=
 github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4=
-github.com/microcosm-cc/bluemonday v1.0.24 h1:NGQoPtwGVcbGkKfvyYk1yRqknzBuoMiUrO6R7uFTPlw=
-github.com/microcosm-cc/bluemonday v1.0.24/go.mod h1:ArQySAMps0790cHSkdPEJ7bGkF2VePWH773hsJNSHf8=
-github.com/microcosm-cc/bluemonday v1.0.25-0.20230718093958-84e9ab41bc57 h1:UAolUtPyM8Xp4kdvy+KUDYPfyhfiVeBvAL2Q2EeL2LA=
-github.com/microcosm-cc/bluemonday v1.0.25-0.20230718093958-84e9ab41bc57/go.mod h1:xuxNNQCTtuLIdD84E4WN6MOlWp3V4wrfaMKyyfQezaU=
 github.com/microcosm-cc/bluemonday v1.0.25 h1:4NEwSfiJ+Wva0VxN5B8OwMicaJvD8r9tlJWm9rtloEg=
 github.com/microcosm-cc/bluemonday v1.0.25/go.mod h1:ZIOjCQp1OrzBBPIJmfX4qDYFuhU02nx4bn030ixfHLE=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=

From eefb657a0f4c248879cce40035d0d8ef1aff9716 Mon Sep 17 00:00:00 2001
From: KN4CK3R <admin@oldschoolhack.me>
Date: Tue, 18 Jul 2023 16:23:59 +0200
Subject: [PATCH 4/4] Update modules/markup/sanitizer.go

Co-authored-by: delvh <dev.lh@web.de>
---
 modules/markup/sanitizer.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go
index 7704df5c53b8a..9f97f1d5b13e0 100644
--- a/modules/markup/sanitizer.go
+++ b/modules/markup/sanitizer.go
@@ -81,7 +81,7 @@ func createDefaultPolicy() *bluemonday.Policy {
 	} else {
 		policy.AllowURLSchemesMatching(allowAllRegex)
 
-		// Even if every scheme is allowed, these three are blocked
+		// Even if every scheme is allowed, these three are blocked for security reasons
 		disallowScheme := func(*url.URL) bool {
 			return false
 		}