Allow http#1369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged

Nov 6, 2025

Merged

Nov 6, 2025

+1 −1

Conversation

Copy link

Contributor

Also allow http links in sanitisation filter.

Allow http

8952cc0

JoannaaKL requested a review froma team as acode owner

CopilotAI review requested due to automatic review settings

Merge branch 'main' into allow-http-in-links

08f759d

CopilotAI reviewed

Copy link

Contributor

The reason will be displayed to describe this comment to others.Learn more.

This PR modifies the HTML sanitization policy to allow both HTTP and HTTPS URL schemes in links, where previously only HTTPS was permitted.

Expands allowed URL schemes from HTTPS-only to include both HTTP and HTTPS protocols

Comments suppressed due to low confidence (2)

pkg/sanitize/sanitize.go:57

Allowing 'http' URLs introduces a security concern. HTTP traffic is unencrypted and susceptible to man-in-the-middle attacks, which could expose users to malicious content. The policy already usesRequireNoFollowOnLinks(true) andRequireNoReferrerOnLinks(true), but these don't protect against eavesdropping or tampering with HTTP links. Consider whether HTTP URLs are truly necessary, or if the policy should continue enforcing HTTPS-only to ensure secure connections.

if toggled {

pkg/sanitize/sanitize.go:57

The change to allow 'http' URLs lacks test coverage. The existing test suite only includes an HTTPS URL test case (line 223-224 in sanitize_test.go). Add test cases to verify that HTTP URLs are properly allowed and sanitized, for example: a test with<a href=\"http://example.com\">link</a> to confirm the new behavior.