gitea
gitea copied to clipboard
go-gitea
Alllow all schemes in markdown by default
Description
Using the main intance https://gitea.com I am unable to insert non-http emails. In particular I am interested to add links to my emails (I use the tool only internally) provided by the https://camiel.bouchier.be/en/cb_thunderlink extension. Unfortunately links like cbthunderlink://somebase64string are not clickable, even if I explicitely use the longer url notation:
See you can't click me [cbthunderlink://somebase64string](cbthunderlink://somebase64string)
Gitea Version
1.18.0+dev-333-g9e0c43777
Can you reproduce the bug on the Gitea demo site?
Yes
Log Gist
No response
Screenshots
Git Version
No response
Operating System
No response
How are you running Gitea?
Using the instance from https://gitea.com
Database
No response
Hum good to know thanks… but I guess it will not work if I do not own the server (which is my case)… Is there any security reason for this limitation?
I believe security is the main concern (although it's not designed by me).
Some schemes/protocols could lead to security problem.
I'm not sure to understand how security would be impacted: I guess that it is always possible for an attacker to put an https link that points to, e.g. tinyurl and then put there a redirection to the url using the malicious protocol. In my opinion, it is the role of the browser to protect against malicious protocols (and to some extend it is the case, for instance firefox will ask you which program to call when you use a zoom link), not websites.
I would agree with you if there is no more security concern. The code is as old as year 2014 and 2016
https://github.com/go-gitea/gitea/commit/3a9fd81f5946cbd70390b9c061bdcd1842f29735 https://github.com/go-gitea/gitea/commit/a4cbe79567072befd96cf1b7eb319de1e2809ca3