-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to disable ambiguous unicode characters detection #28454
Conversation
bb88607
to
c405a81
Compare
c405a81
to
0a25514
Compare
Maybe it should even be disabled by default because as I see it, the current detection is almost pure false-positives for the "warnings", only the "errors" are real problems. |
Then we need a break label. |
It wouldn't break anyone's workflow I assume. Not a fan of unnecessary breaking labels. |
I won't do so at the moment, because otherwise some extremists would catch this point and criticize that "Gitea doesn't take security seriously“ |
I think ideally we just remove the warning category (which warns on any irregular whitespace), and just keep the error category (which are the real bidi exploits). Doesn't have to be in this PR. |
That's why I used |
Sounds like a good idea. Currently this feature is kinda useless. If you have almost only false positives, Users do not care about the Warning and will ignore it, even when there's a real threat. You should also add a User setting. Not everyone is Admin. |
It doesn't work that way at the moment, every detected problem is rendered as "warning". Any improvement could be done later. |
Does this hide the "Escape" button in file view and diffs? I think it should when the feature is disabled as the button is only useful for that feature. |
Yes. There won't be "escape" button if there is no detected ambiguous unicode character. update: due to some old code problem, see #28454 (comment) |
I was unable to create a backport for 1.21. @wxiaoguang, please send one manually. 🍵
|
…a#28454) * Close go-gitea#24483 * Close go-gitea#28123 * Close go-gitea#23682 * Close go-gitea#23149 (maybe more)
Just realized that some "escape" buttons are hidden correctly, while some are not, because some of the old code doesn't respect |
* giteaofficial/main: [skip ci] Updated translations via Crowdin Add option to disable ambiguous unicode characters detection (go-gitea#28454) Adjust object format interface (go-gitea#28469) Remove duplicate option in admin screen and now-unused translation keys (go-gitea#28492) [skip ci] Updated translations via Crowdin Initalize stroage for orphaned repository doctor (go-gitea#28487)
Regression of go-gitea#28454 . Now the string is escaped HTML, so it doesn't need `| Safe`. Fix go-gitea#28575
Backport #28576 by wxiaoguang Regression of #28454 . Now the string is escaped HTML, so it doesn't need `| Safe`. Fix #28575 Co-authored-by: wxiaoguang <[email protected]>
Regression of go-gitea#28454 . Now the string is escaped HTML, so it doesn't need `| Safe`. Fix go-gitea#28575
Backport go-gitea#28576 by wxiaoguang Regression of go-gitea#28454 . Now the string is escaped HTML, so it doesn't need `| Safe`. Fix go-gitea#28575 Co-authored-by: wxiaoguang <[email protected]>
…a#28454) * Close go-gitea#24483 * Close go-gitea#28123 * Close go-gitea#23682 * Close go-gitea#23149 (maybe more)
Regression of go-gitea#28454 . Now the string is escaped HTML, so it doesn't need `| Safe`. Fix go-gitea#28575
…a#28454) * Close go-gitea#24483 * Close go-gitea#28123 * Close go-gitea#23682 * Close go-gitea#23149 (maybe more)
Regression of go-gitea#28454 . Now the string is escaped HTML, so it doesn't need `| Safe`. Fix go-gitea#28575
We should get rid of all those unneccesary and confusing escape buttons, e.g. only show if there is actually escapable content. |
Automatically locked because of our CONTRIBUTING guidelines |
(maybe more)