Commit Graph

8 Commits

Author SHA1 Message Date
Martin Zimmermann
104afa8fa2 allow raw HTML markup for a few (whitelisted) tags
To be compatible with comments from Disqus (and users unfamiliar with
Markdown), Misaka no longer disables user-inputted HTML, but the
generated HTML is now post-processed and all "unsafe" tags (not
possible with Markdown) are discarded.

Whitelist: p, a, pre, blockquote, h1-h6, em, sub, sup, del, ins, math,
           dl, ol, ul, li

This commit also removes an unnecessary newline generated by
Misaka/Sundown.

Conflicts:
	isso/utils/__init__.py
2014-01-12 14:49:26 +01:00
Martin Zimmermann
232e2fb474 another approach to fix #40 (return 403 on false Content-Type)
When an attacker uses a <form> to downvote a comment, the browser
*should* add a `Content-Type: ...` header with three possible values:

    * application/x-www-form-urlencoded
    * multipart/form-data
    * text/plain

If the header is not sent or requests `application/json`, the
request is not forged (XHR is restricted by CORS separately).
2013-12-04 23:36:48 +01:00
Martin Zimmermann
1db06bbf39 Revert "HTTP Origin is only sent on cross-origin requests in Firefox"
Revert "use Referer instead of Origin when using IE"
Revert "fix unittests"
Revert "check if Origin matches Host to mitigate CSRF, part of #40"

This reverts commit 9376511485c70deaf908aa67bcdc8f0c9a0b003e.
This reverts commit 9a03cca793.
This reverts commit 4c16ba76cc.
This reverts commit 32e4b70510.
2013-12-04 17:09:22 +01:00
Martin Zimmermann
b839b2be31 HTTP Origin is only sent on cross-origin requests in Firefox
Therefore, only raise Forbidden if Origin (or Referer for MSIE) is sent
(which is a protected header and all modern browsers (except IE)).

Also add a basic unit test which asserts the failure for false origins.
2013-12-04 17:09:22 +01:00
Laurent Arnoud
02db978308 Add check with blank text 2013-12-04 00:35:09 +01:00
Martin Zimmermann
f0ee0a18b1 move unittest helpers into a separate file 2013-11-13 14:25:05 +01:00
Martin Zimmermann
6e85c54a2e refactor views and introduce an API for notifications
Keep Isso modular, not monolithic. Make it easy to integrate a
web interface or add XMPP notifications.

This refactorization includes minor bugfixes and changes:

* CORS middleware did not work properly due to wrong unit tests
* more type checks on JSON input
* new detection for origin and public url, closes #28
* new activation and delete url (no redirect for old urls, but you can
  convert the old urls: copy hash after `/activate/` (or delete) and
  open `/id/<id of comment>/activate/<hash>`
* move crypto.py to utils/

With this commit, SMTP is no longer automatically configured: add
`notify = smtp` to the `[general]` section to use SMTP.
2013-11-11 12:09:19 +01:00
Martin Zimmermann
1174259b27 mv comment -> comments 2013-11-08 18:55:02 +01:00