+ "details": "### Summary\nA Stored Cross-site Scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows `data:` URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links.\n\n### Details\nThe vulnerability is located in `internal/markup/sanitizer.go`. The application uses the `bluemonday` HTML sanitizer but explicitly weakens the security policy by allowing the `data` URL scheme:\n\n```go\n// internal/markup/sanitizer.go\nfunc NewSanitizer() {\n sanitizer.init.Do(func() {\n // ...\n // Data URLs\n sanitizer.policy.AllowURLSchemes(\"data\")\n // ...\n })\n}\n```\n\nWhile the Markdown renderer rewrites relative links (mitigating standard Markdown `[link](data:...)` attacks), Gogs supports **Raw HTML** input. Raw HTML anchor tags bypass the Markdown parser's link rewriting and are processed directly by the sanitizer. Since the sanitizer is configured to allow `data:` URIs, payloads like `<a href=\"data:text/html...\">` are rendered as-is.\n\n### PoC\n1. Create a file named `exploit.md` in a repository.\n2. Add the following content (Raw HTML):\n ```html\n <a href=\"data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=\">Click me for XSS</a>\n ```\n3. Commit and push the file.\n4. Navigate to the file in the Gogs web interface.\n5. Click the \"Click me for XSS\" link.\n6. **Result:** An alert box with \"XSS\" appears, executing the JavaScript payload.\n\n### Impact\nThis is a **Stored XSS** vulnerability. Any user who views the malicious comment and clicks the link will execute the attacker-supplied JavaScript in their browser context. This allows attackers to:\n* Steal authentication cookies and session tokens.\n* Perform arbitrary actions on behalf of the victim (e.g., modifying repositories, adding collaborators).\n* Redirect users to malicious sites.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments