security: wiki should only allow markdown files #217

New Issue

Closed

opened 2026-05-26 18:39:55 +00:00 by jmiller · 1 comment

jmiller commented 2026-05-26 18:39:55 +00:00

Owner

Copy Link

Copy Source

Summary

Wiki pages should only accept .md (Markdown) files. Currently there may not be sufficient validation preventing other file types from being stored in the wiki git repository.

Risk

If non-markdown files (HTML, JS, etc.) can be committed to the wiki repo, they could be rendered unsafely or used for XSS.

Requirements

• Validate file extension on wiki page create/edit (web UI and API)
• Reject non-.md files in wiki git push hooks
• Audit existing wiki repos for non-markdown files

---

Authored-by: Claude Opus 4.6 (1M context) noreply@anthropic.com

## Summary Wiki pages should only accept .md (Markdown) files. Currently there may not be sufficient validation preventing other file types from being stored in the wiki git repository. ## Risk If non-markdown files (HTML, JS, etc.) can be committed to the wiki repo, they could be rendered unsafely or used for XSS. ## Requirements - [ ] Validate file extension on wiki page create/edit (web UI and API) - [ ] Reject non-.md files in wiki git push hooks - [ ] Audit existing wiki repos for non-markdown files --- *Authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>*

jmiller added the security label 2026-05-26 18:39:55 +00:00

jmiller commented 2026-05-26 18:57:19 +00:00

Author

Owner

Copy Link

Copy Source

Deployed in v1.26.1-moko.05.05.00.

Authored-by: Claude Opus 4.6 (1M context) noreply@anthropic.com

Deployed in v1.26.1-moko.05.05.00. *Authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>*

jmiller closed this issue 2026-05-26 18:57:20 +00:00

Sign in to join this conversation.

Labels

Clear labels

breaking-change

Breaking API or behavior change

ci-cd

CI/CD pipeline changes

config

Configuration changes

dependencies

Dependency updates

deploy-failure

Deployment failed

docker

Docker/container changes

documentation

Documentation changes

good first issue

Good for newcomers

health-check

Repo health check result

help wanted

Extra attention needed

mokostandards

Related to MokoStandards framework

pending: testing

Feature implemented but not yet tested with documented proof

priority: critical

Must fix immediately

priority: high

Important, fix soon

priority: low

Nice to have

priority: medium

Normal priority

push-failure

Git push operation failed

security

Security vulnerability or hardening

size/l

200-500 lines changed

size/m

50-200 lines changed

size/s

10-50 lines changed

size/xl

500+ lines changed

size/xs

< 10 lines changed

standards-drift

Deviates from MokoStandards

standards-update

MokoStandards compliance update

status: blocked

Blocked by dependency or decision

status: in-progress

Actively being worked on

status: needs-review

Awaiting code review

status: on-hold

Paused intentionally

status: wontfix

Will not be addressed

sync-failure

Sync or mirror failed

tech-debt

Technical debt and TODO/FIXME items

type: bug

Something isn't working

type: bug

type: chore

Maintenance, dependencies, cleanup

type: enhancement

Improvement to existing feature

type: feature

New functionality

type: refactor

Code restructuring without behavior change

type: version

Version bump or release

upstream

upstream

Inherited from upstream Gitea

work-in-progress

Draft or incomplete work

bug

Something is not working

chore

Maintenance and housekeeping

documentation

Documentation improvements

enhancement

Improvement to existing functionality

feature

New feature or request

pending: dependency

Blocked by another issue or external dependency

pending: deployment

Tested and approved, awaiting deployment to production

pending: design

Needs UI/UX or architecture design before implementation

pending: documentation

Feature works, needs documentation/wiki update

pending: feedback

Awaiting feedback or decision from stakeholder

pending: review

Implementation complete, awaiting code review

pending: testing

Feature implemented but not yet tested

priority: critical

Must fix immediately

priority: high

Should fix soon

priority: low

Nice to have

priority: medium

Fix when convenient

refactor

Code restructuring without behavior change

roadmap

Planned feature or enhancement tracked on the roadmap

scope: client

Client-specific work

scope: dolibarr

Dolibarr modules and customizations

scope: infrastructure

Server, CI, backups, monitoring

scope: joomla

Joomla templates and extensions

scope: waas

MokoWaaS platform

security

Security vulnerability or hardening

status: blocked

Waiting on external dependency

status: duplicate

Duplicate of another issue

status: in-progress

Being worked on

status: needs-review

Ready for review

status: wontfix

Will not be addressed

No labels security

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea#217