github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-21 11:55:31 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

"invisible Unicode characters" warning for no technical reason (whitespace) #10966

New Issue
Closed
opened 2025-11-02 09:23:31 -06:00 by GiteaMirror · 7 comments
GiteaMirror commented 2025-11-02 09:23:31 -06:00
Owner
Copy Link

Originally created by @PommesSchranke on GitHub (Jun 5, 2023).

Description

Hello gitea,

I'm a codeberg user. Lately I found, that for formfeeds ('\f’) an inappropriate warning is shown on top of the code, plus the formfeed characters are hidden behind a warning icon (see [https://codeberg.org/Foxglove/tileserver/src/branch/main/tileserver.pl]). Thus hiding the character warned of making the decision in favour of that piece of source code a lot harder.

I now learned, that codeberg is "following upstream and will never fork", plus the code that does the inappropriate warning and the information-hiding is part of gitea.

Why I consider this a bug

Although this might install some false fealing of security in the faint of heart (and/or bad informed), it will in the most part shy away those people, rendering publishing of source code on codeberg (through gitea) useless for me and, maybe others.

Imagine the emacs people would resort to host one of the oldest and most active open source projects through gitea:

••• sebastian@terra:/home/sebastian/develop/ext/emacs [master]
 ⤷ grep -lPr '\f' lisp | wc -l | xargs echo "Files with warnings: "
Files with warnings:  474

••• sebastian@terra:/home/sebastian/develop/ext/emacs [master]
 ⤷ grep -Pr '\f' lisp | wc -l | xargs echo "Icons to click: "
Icons to click:  4273

Is there a possiblity to get rid of the faulty code, or complement it with some sensible test for attack vectors?

Best wishes,

  • Sebastian

Gitea Version

Current codeberg's version (as of 2023-06-05)

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

inappropriate-warning-message
warning-icons-hiding-information

Git Version

No response

Operating System

No response

How are you running Gitea?

I'm a codeberg user, and was told, the warning is produced in gitea (https://codeberg.org/Codeberg/Community/issues/1030#issuecomment-929035

Database

None

Originally created by @PommesSchranke on GitHub (Jun 5, 2023). ### Description Hello gitea, I'm a codeberg user. Lately I found, that for formfeeds ('\f’) an inappropriate warning is shown on top of the code, plus the formfeed characters are hidden behind a warning icon (see [https://codeberg.org/Foxglove/tileserver/src/branch/main/tileserver.pl]). Thus hiding the character warned of making the decision in favour of that piece of source code a lot harder. I now learned, that codeberg is "following upstream and will never fork", plus the code that does the inappropriate warning and the information-hiding is part of gitea. ### Why I consider this a bug Although this might install some false fealing of security in the faint of heart (and/or bad informed), it will in the most part shy away those people, rendering publishing of source code on codeberg (through gitea) useless for me and, maybe others. Imagine the emacs people would resort to host one of the oldest and most active open source projects through gitea: ``` ••• sebastian@terra:/home/sebastian/develop/ext/emacs [master] ⤷ grep -lPr '\f' lisp | wc -l | xargs echo "Files with warnings: " Files with warnings: 474 ••• sebastian@terra:/home/sebastian/develop/ext/emacs [master] ⤷ grep -Pr '\f' lisp | wc -l | xargs echo "Icons to click: " Icons to click: 4273 ``` Is there a possiblity to get rid of the faulty code, or complement it with some sensible test for attack vectors? Best wishes, - Sebastian ### Gitea Version Current codeberg's version (as of 2023-06-05) ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots ![inappropriate-warning-message](https://github.com/go-gitea/gitea/assets/69091268/07f25d65-cc98-4eda-a417-16cf6a5c6118) ![warning-icons-hiding-information](https://github.com/go-gitea/gitea/assets/69091268/2c2da6de-8be4-4f2d-8cd8-40eae50f3dbd) ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? I'm a codeberg user, and was told, the warning is produced in gitea ([https://codeberg.org/Codeberg/Community/issues/1030#issuecomment-929035](url) ### Database None
GiteaMirror added the type/bug label 2025-11-02 09:23:31 -06:00
GiteaMirror commented 2025-11-02 09:23:32 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Jun 5, 2023):

Related to:

(and maybe more)

@wxiaoguang commented on GitHub (Jun 5, 2023): Related to: * #23682 * #23149 (and maybe more)
GiteaMirror commented 2025-11-02 09:23:32 -06:00
Author
Owner
Copy Link

@silverwind commented on GitHub (Jun 5, 2023):

I think VSCode would also "warn" or at least highlight these, but I propose we just introduce a config option where server admins can decide which character classes to warn for - see https://github.com/go-gitea/gitea/issues/23682.

@silverwind commented on GitHub (Jun 5, 2023): I think VSCode would also "warn" or at least highlight these, but I propose we just introduce a config option where server admins can decide which character classes to warn for - see https://github.com/go-gitea/gitea/issues/23682.
GiteaMirror commented 2025-11-02 09:23:33 -06:00
Author
Owner
Copy Link

@PommesSchranke commented on GitHub (Jun 6, 2023):

"I think VSCode would also warn..." is not in any way a technical reason. I consider the warning itself in this case buggy, since there is no reason to show it for the whitespace character: '\f', simply a formfeed.

@PommesSchranke commented on GitHub (Jun 6, 2023): "I think VSCode would also warn..." is not in any way a technical reason. I consider the warning itself in this case buggy, since there is no reason to show it for the whitespace character: '\f', simply a formfeed.
GiteaMirror commented 2025-11-02 09:23:33 -06:00
Author
Owner
Copy Link

@silverwind commented on GitHub (Jun 6, 2023):

It fits the "ambigous" category, but see https://github.com/go-gitea/gitea/issues/23682#issuecomment-1577121269 for my proposal that would by default not highlight ambigous characters, only bidi exploits.

@silverwind commented on GitHub (Jun 6, 2023): It fits the "ambigous" category, but see https://github.com/go-gitea/gitea/issues/23682#issuecomment-1577121269 for my proposal that would by default not highlight ambigous characters, only bidi exploits.
GiteaMirror commented 2025-11-02 09:23:33 -06:00
Author
Owner
Copy Link

@eleksir commented on GitHub (Jul 23, 2023):

In my opinion this "Ambiguous thing" must have config option to disable this abusive junk entirely and on per-repo basis.
I just don't care about it - i'm the only one user of my instance of gitea and don't care about this overhyped pseudo-security hypothetical nano-risk of something that security-a-like-fanboys think can be dangerous for them (because of their incompetence).

Please make an option in config to disable this crippled function for whole instance of gitea and setting to enable/disable this ambi-crap (to allow paranoids feel pseudo-safeness).

@eleksir commented on GitHub (Jul 23, 2023): In my opinion this "Ambiguous thing" must have config option to disable this abusive junk entirely and on per-repo basis. I just don't care about it - i'm the only one user of my instance of gitea and don't care about this overhyped pseudo-security hypothetical nano-risk of something that security-a-like-fanboys think can be dangerous for them (because of their incompetence). Please make an option in config to disable this crippled function for whole instance of gitea and setting to enable/disable this ambi-crap (to allow paranoids feel pseudo-safeness).
GiteaMirror commented 2025-11-02 09:23:33 -06:00
Author
Owner
Copy Link

@PommesSchranke commented on GitHub (Jul 24, 2023):

Yes! There is nothing "ambiguous" about a formfeed anyway. Computing is not about ambiguity. Either there we find a char introducing some attack vector, or we do not. Formfeed does not. So there is nothing to warn about it => it's a bug!

@PommesSchranke commented on GitHub (Jul 24, 2023): Yes! There is nothing "ambiguous" about a formfeed anyway. Computing is not about ambiguity. Either there we find a char introducing some attack vector, or we do not. Formfeed does not. So there is nothing to warn about it => it's a bug!
GiteaMirror commented 2025-11-02 09:23:34 -06:00
Author
Owner
Copy Link

@silverwind commented on GitHub (Jul 24, 2023):

https://github.com/go-gitea/gitea/issues/23682 has some suggestions for a fix, let's move the discussion there, we don't need two issues open for it.

@silverwind commented on GitHub (Jul 24, 2023): https://github.com/go-gitea/gitea/issues/23682 has some suggestions for a fix, let's move the discussion there, we don't need two issues open for it.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#10966
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?