sdgoij/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-01-16 17:10:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix link/origin referrer and login redirect (#36279)

Browse Source 
Fix #35998

1. Fix `<a rel>` :
    * "_blank" already means "noopener"
* "noreferrer" is already provided by page's `<meta name="referrer">`
2. Fix "redirect_to" mechisam
* Use "referer" header to determine the redirect link for a successful
login
3. Simplify code and merge duplicate logic
This commit is contained in:
wxiaoguang
2026-01-03 11:43:04 +08:00
committed by GitHub
parent 6fb3547417
commit b79dbfa990
46 changed files with 141 additions and 168 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
modules/markup/html_link.go
View File

@@ -208,7 +208,6 @@ func createDescriptionLink(href, content string) *html.Node {
Attr: []html.Attribute{
{Key: "href", Val: href},
{Key: "target", Val: "_blank"},
{Key: "rel", Val: "noopener noreferrer"},
},
}
textNode.Parent = linkNode

2
modules/markup/sanitizer_description_test.go
View File

@@ -16,7 +16,7 @@ func TestDescriptionSanitizer(t *testing.T) {
`<span class="emoji" aria-label="thumbs up">THUMBS UP</span>`, `<span class="emoji" aria-label="thumbs up">THUMBS UP</span>`,
`<span style="color: red">Hello World</span>`, `<span>Hello World</span>`,
`<br>`, ``,
`<a href="https://example.com" target="_blank" rel="noopener noreferrer">https://example.com</a>`, `<a href="https://example.com" target="_blank" rel="noopener noreferrer nofollow">https://example.com</a>`,
`<a href="https://example.com" target="_blank">https://example.com</a>`, `<a href="https://example.com" target="_blank" rel="nofollow noopener">https://example.com</a>`,
`<a href="data:1234">data</a>`, `data`,
`<mark>Important!</mark>`, `Important!`,
`<details>Click me! <summary>Nothing to see here.</summary></details>`, `Click me! Nothing to see here.`,

14
modules/web/middleware/cookie.go
View File

@@ -14,14 +14,24 @@ import (
"code.gitea.io/gitea/modules/util"
)
const cookieRedirectTo = "redirect_to"
func GetRedirectToCookie(req *http.Request) string {
return GetSiteCookie(req, cookieRedirectTo)
}
// SetRedirectToCookie convenience function to set the RedirectTo cookie consistently
func SetRedirectToCookie(resp http.ResponseWriter, value string) {
SetSiteCookie(resp, "redirect_to", value, 0)
SetSiteCookie(resp, cookieRedirectTo, value, 0)
}
// DeleteRedirectToCookie convenience function to delete most cookies consistently
func DeleteRedirectToCookie(resp http.ResponseWriter) {
SetSiteCookie(resp, "redirect_to", "", -1)
SetSiteCookie(resp, cookieRedirectTo, "", -1)
}
func RedirectLinkUserLogin(req *http.Request) string {
return setting.AppSubURL + "/user/login?redirect_to=" + url.QueryEscape(setting.AppSubURL+req.URL.RequestURI())
}
// GetSiteCookie returns given cookie value from request header.