# HG changeset patch
# User Thomas Waldmann <tw AT waldmann-edv DOT de>
# Date 1298323197 -3600
# Node ID 97208f67798fa035f95d4f2d25517faa018130e7
# Parent  b1b82826f8b8b924b98adf39362fefd05f79484d
remove support for javascript: URLs in the rst parser (dangerous, XSS)

diff -r b1b82826f8b8 -r 97208f67798f MoinMoin/parser/text_rst.py
--- a/MoinMoin/parser/text_rst.py	Thu Jan 20 13:34:33 2011 +0100
+++ b/MoinMoin/parser/text_rst.py	Mon Feb 21 22:19:57 2011 +0100
@@ -391,6 +391,9 @@
                 # for images with targets).
                 if not [i for i in node.children if i.__class__ == docutils.nodes.image]:
                     node['classes'].append('interwiki')
+            elif prefix == 'javascript':
+                # is someone trying to do XSS with javascript?
+                node['refuri'] = 'javascript:alert("it does not work")'
             elif prefix != '':
                 # Some link scheme (http, file, https, mailto, etc.), add class
                 # information if the reference doesn't have a child image (don't