security: wiki should only allow markdown files #217

New Issue

Closed

opened 2026-05-26 18:39:55 +00:00 by jmiller · 1 comment

jmiller commented 2026-05-26 18:39:55 +00:00

Owner

Copy Link

Copy Source

Summary

Wiki pages should only accept .md (Markdown) files. Currently there may not be sufficient validation preventing other file types from being stored in the wiki git repository.

Risk

If non-markdown files (HTML, JS, etc.) can be committed to the wiki repo, they could be rendered unsafely or used for XSS.

Requirements

• Validate file extension on wiki page create/edit (web UI and API)
• Reject non-.md files in wiki git push hooks
• Audit existing wiki repos for non-markdown files

---

Authored-by: Claude Opus 4.6 (1M context) noreply@anthropic.com

## Summary Wiki pages should only accept .md (Markdown) files. Currently there may not be sufficient validation preventing other file types from being stored in the wiki git repository. ## Risk If non-markdown files (HTML, JS, etc.) can be committed to the wiki repo, they could be rendered unsafely or used for XSS. ## Requirements - [ ] Validate file extension on wiki page create/edit (web UI and API) - [ ] Reject non-.md files in wiki git push hooks - [ ] Audit existing wiki repos for non-markdown files --- *Authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>*

jmiller added the security label 2026-05-26 18:39:55 +00:00

jmiller commented 2026-05-26 18:57:19 +00:00

Author

Owner

Copy Link

Copy Source

Deployed in v1.26.1-moko.05.05.00.

Authored-by: Claude Opus 4.6 (1M context) noreply@anthropic.com

Deployed in v1.26.1-moko.05.05.00. *Authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>*

jmiller closed this issue 2026-05-26 18:57:20 +00:00

Sign in to join this conversation.

Labels

Clear labels

breaking-change

Breaking API or behavior change

ci-cd

CI/CD pipeline changes

config

Configuration changes

dependencies

Dependency updates

deploy-failure

Deployment failed

docker

Docker/container changes

documentation

Documentation changes

good first issue

Good for newcomers

health-check

Repo health check result

help wanted

Extra attention needed

mokostandards

Related to MokoStandards framework

push-failure

Git push operation failed

security

Security vulnerability or hardening

size/l

200-500 lines changed

size/m

50-200 lines changed

size/s

10-50 lines changed

size/xl

500+ lines changed

size/xs

< 10 lines changed

standards-drift

Deviates from MokoStandards

standards-update

MokoStandards compliance update

sync-failure

Sync or mirror failed

tech-debt

Technical debt and TODO/FIXME items

upstream

upstream

Inherited from upstream Gitea

work-in-progress

Draft or incomplete work

No labels security

Priority High

Type Security

Status —

Priority —

Type —

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-APP#217