Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • briar briar
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 788
    • Issues 788
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 8
    • Merge requests 8
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • briar
  • briarbriar
  • Issues
  • #911

Closed
Open
Created Mar 23, 2017 by akwizgran@akwizgranOwner

HTML in blog posts should be sanitised

Links in manually created blog posts can specify any protocol. This can be used to specify the intent:// protocol handler, which makes creation of intents possible. This can be used to crash the app when the user clicks on a link. Other malicious actions might be possible.

All HTML should be passed through the HTML sanitiser before being rendered, and we should ensure that the sanitiser removes URLs with unknown protocols.

Assignee
Assign to
Time tracking