Skip to content

Harden render iframe open-link handling#36811

Merged
lunny merged 10 commits intogo-gitea:mainfrom
lunny:lunny/fix_render_iframe
Mar 4, 2026
Merged

Harden render iframe open-link handling#36811
lunny merged 10 commits intogo-gitea:mainfrom
lunny:lunny/fix_render_iframe

Conversation

@lunny
Copy link
Copy Markdown
Member

@lunny lunny commented Mar 3, 2026
edited
Loading

This PR hardens the handling of the “open-link” action in render iframes (external rendering iframes). It prevents iframes from triggering unsafe or unintended redirects or opening new windows via postMessage.

Additionally, it improves iframe height reporting to reduce scrollbar and height mismatch issues, and adds unit test coverage.

@lunny lunny added the type/bug label Mar 3, 2026
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 3, 2026
wxiaoguang
wxiaoguang reviewed Mar 3, 2026
View reviewed changes
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Mar 3, 2026
@wxiaoguang wxiaoguang added the backport/v1.25 This PR should be backported to Gitea 1.25 label Mar 3, 2026
@wxiaoguang wxiaoguang force-pushed the lunny/fix_render_iframe branch from 4819f65 to 159b7ee Compare March 3, 2026 07:33
@silverwind
Copy link
Copy Markdown
Member

silverwind commented Mar 3, 2026

Would move these functions to utils/url.ts, they are not specific to markup/render-iframe.ts and could be used as general replacements for window.open (and window.open could be forbidden via eslint).

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Mar 3, 2026
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Mar 4, 2026
@lunny lunny merged commit 315b947 into go-gitea:main Mar 4, 2026
26 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Mar 4, 2026
@lunny lunny deleted the lunny/fix_render_iframe branch March 4, 2026 07:15
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Mar 4, 2026
@silverwind
Copy link
Copy Markdown
Member

silverwind commented Mar 4, 2026

Why ignore my feedback?

@wxiaoguang
Copy link
Copy Markdown
Contributor

wxiaoguang commented Mar 4, 2026

Why ignore my feedback?

Why you don't read code?

image

@GiteaBot
Copy link
Copy Markdown
Collaborator

GiteaBot commented Mar 4, 2026

I was unable to create a backport for 1.25. @lunny, please send one manually. 🍵

go run ./contrib/backport 36811
...  // fix git conflicts if any
go run ./contrib/backport --continue

@GiteaBot GiteaBot added the backport/manual No power to the bots! Create your backport yourself! label Mar 4, 2026
@lunny
Copy link
Copy Markdown
Member Author

lunny commented Mar 4, 2026

Why ignore my feedback?

Sorry. I thought the following changes from wxiaoguang after your feedback fix it.

@wxiaoguang
Copy link
Copy Markdown
Contributor

wxiaoguang commented Mar 4, 2026

Why ignore my feedback?

Sorry. I thought the following changes from wxiaoguang after your feedback fix it.

It does. He just likes guessing without reading the code or understanding the facts.

zjjhot added a commit to zjjhot/gitea that referenced this pull request Mar 6, 2026
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
9ad2bd8 
* giteaofficial/main:
  Fix non-admins unable to automerge PRs from forks (go-gitea#36833)
  upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (go-gitea#36837)
  Fix dump release asset bug (go-gitea#36799)
  build(deps): update material-icon-theme v5.32.0 (go-gitea#36832)
  Fix bug to check whether user can update pull request branch or rebase branch (go-gitea#36465)
  Fix forwarded proto handling for public URL detection (go-gitea#36810)
  Fix artifacts v4 backend upload problems (go-gitea#36805)
  Add a git grep search timeout (go-gitea#36809)
  fix(repo): unify DEFAULT_SHOW_FULL_NAME output in templates and dropdown (go-gitea#36597)
  Harden render iframe open-link handling (go-gitea#36811)
silverwind added a commit to silverwind/gitea that referenced this pull request Mar 6, 2026
@silverwind
Merge remote-tracking branch 'origin/main' into fixmerge
f626aa0 
* origin/main: (27 commits)
  Fix OAuth2 authorization code expiry and reuse handling (go-gitea#36797)
  Fix org permission API visibility checks for hidden members and private orgs (go-gitea#36798)
  Fix non-admins unable to automerge PRs from forks (go-gitea#36833)
  upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (go-gitea#36837)
  Fix dump release asset bug (go-gitea#36799)
  build(deps): update material-icon-theme v5.32.0 (go-gitea#36832)
  Fix bug to check whether user can update pull request branch or rebase branch (go-gitea#36465)
  Fix forwarded proto handling for public URL detection (go-gitea#36810)
  Fix artifacts v4 backend upload problems (go-gitea#36805)
  Add a git grep search timeout (go-gitea#36809)
  fix(repo): unify DEFAULT_SHOW_FULL_NAME output in templates and dropdown (go-gitea#36597)
  Harden render iframe open-link handling (go-gitea#36811)
  [skip ci] Updated translations via Crowdin
  fix: /repos/{owner}/{repo}/actions/{runs,jobs} requiring owner permissions (go-gitea#36818)
  Fix CRAN package version validation to allow more than 4 version components (go-gitea#36813)
  Fix API not persisting pull request unit config when has_pull_requests is not set (go-gitea#36718)
  feat: Add Actions API rerun endpoints for runs and jobs (go-gitea#36768)
  Fix bug when pushing mirror with wiki (go-gitea#36795)
  Pull Request Pusher should be the author of the merge (go-gitea#36581)
  Delete non-exist branch should return 404 (go-gitea#36694)
  ...

# Conflicts:
#	routers/web/repo/issue_view.go
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wxiaoguang wxiaoguang wxiaoguang approved these changes

+1 more reviewer

@adelowo adelowo adelowo approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport/manual No power to the bots! Create your backport yourself! backport/v1.25 This PR should be backported to Gitea 1.25 lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/frontend type/bug

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

5 participants

@lunny @silverwind @wxiaoguang @GiteaBot @adelowo