Fix bug of link query order on markdown render (#14156)

* Fix bug of link query order on markdown render

* Fix bluemonday bug and fix one wrong test

Co-authored-by: 6543 <6543@obermui.de>

diff --git a/go.mod b/go.mod
index c334f68831a6ab932b44c10377631b8f95e6bd7f..6556f54ed67887648e1db08eb2df009fb91273b8 100644 (file)
--- a/go.mod
+++ b/go.mod
@@ -126,3 +126,5 @@ require (
 )
 
 replace github.com/hashicorp/go-version => github.com/6543/go-version v1.2.4
+
+replace github.com/microcosm-cc/bluemonday => github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8

diff --git a/go.sum b/go.sum
index 6ac80e2677c9746567f0ba844a079a27e652c415..0291b7766023e6d04c1544ad86fbbd886ad2d6da 100644 (file)
--- a/go.sum
+++ b/go.sum
@@ -743,6 +743,8 @@ github.com/lib/pq v1.8.1-0.20200908161135-083382b7e6fc h1:ERSU1OvZ6MdWhHieo2oT7x
 github.com/lib/pq v1.8.1-0.20200908161135-083382b7e6fc/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM=
 github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4=
+github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8 h1:1omo92DLtxQu6VwVPSZAmduHaK5zssed6cvkHyl1XOg=
+github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8/go.mod h1:8iwZnFn2CDDNZ0r6UXhF4xawGvzaqzCRa1n3/lO3W2w=
 github.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96 h1:uNwtsDp7ci48vBTTxDuwcoTXz4lwtDTe7TjCQ0noaWY=
 github.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96/go.mod h1:mmIfjCSQlGYXmJ95jFN84AkQFnVABtKuJL8IrzwvUKQ=
 github.com/lunny/log v0.0.0-20160921050905-7887c61bf0de h1:nyxwRdWHAVxpFcDThedEgQ07DbcRc5xgNObtbTp76fk=
@@ -801,8 +803,6 @@ github.com/mgechev/revive v1.0.3-0.20200921231451-246eac737dc7 h1:ydVkpU/M4/c45y
 github.com/mgechev/revive v1.0.3-0.20200921231451-246eac737dc7/go.mod h1:no/hfevHbndpXR5CaJahkYCfM/FFpmM/dSOwFGU7Z1o=
 github.com/mholt/archiver/v3 v3.5.0 h1:nE8gZIrw66cu4osS/U7UW7YDuGMHssxKutU8IfWxwWE=
 github.com/mholt/archiver/v3 v3.5.0/go.mod h1:qqTTPUK/HZPFgFQ/TJ3BzvTpF/dPtFVJXdQbCmeMxwc=
-github.com/microcosm-cc/bluemonday v1.0.4 h1:p0L+CTpo/PLFdkoPcJemLXG+fpMD7pYOoDEq1axMbGg=
-github.com/microcosm-cc/bluemonday v1.0.4/go.mod h1:8iwZnFn2CDDNZ0r6UXhF4xawGvzaqzCRa1n3/lO3W2w=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/minio/md5-simd v1.1.0 h1:QPfiOqlZH+Cj9teu0t9b1nTBfPbyTl16Of5MeuShdK4=
 github.com/minio/md5-simd v1.1.0/go.mod h1:XpBqgZULrMYD3R+M28PcmP0CkI7PEMzB3U77ZrKZ0Gw=

diff --git a/modules/markup/html_test.go b/modules/markup/html_test.go
index a018d74840e3ae1fd794c6e3cc4b1627d3124dd0..a3c273e628df9f2719d827a184a90285ef8693b1 100644 (file)
--- a/modules/markup/html_test.go
+++ b/modules/markup/html_test.go
@@ -142,7 +142,7 @@ func TestRender_links(t *testing.T) {
                `<p><a href="ftp://gitea.com/file.txt" rel="nofollow">ftp://gitea.com/file.txt</a></p>`)
        test(
                "magnet:?xt=urn:btih:5dee65101db281ac9c46344cd6b175cdcadabcde&dn=download",
-               `<p><a href="magnet:?dn=download&xt=urn%3Abtih%3A5dee65101db281ac9c46344cd6b175cdcadabcde" rel="nofollow">magnet:?xt=urn:btih:5dee65101db281ac9c46344cd6b175cdcadabcde&amp;dn=download</a></p>`)
+               `<p><a href="magnet:?xt=urn%3Abtih%3A5dee65101db281ac9c46344cd6b175cdcadabcde&dn=download" rel="nofollow">magnet:?xt=urn:btih:5dee65101db281ac9c46344cd6b175cdcadabcde&amp;dn=download</a></p>`)
 
        // Test that should *not* be turned into URL
        test(

diff --git a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
index 103f39f6e5ebdbca118bb1d578808512d56d1feb..a58333aa65e6e865024d0c8617a2f39ee8f811c1 100644 (file)
--- a/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
+++ b/vendor/github.com/microcosm-cc/bluemonday/sanitize.go
@@ -122,22 +122,79 @@ func escapeUrlComponent(val string) string {
        return w.String()
 }
 
-func sanitizedUrl(val string) (string, error) {
+// Query represents a query
+type Query struct {
+       Key   string
+       Value string
+}
+
+func parseQuery(query string) (values []Query, err error) {
+       for query != "" {
+               key := query
+               if i := strings.IndexAny(key, "&;"); i >= 0 {
+                       key, query = key[:i], key[i+1:]
+               } else {
+                       query = ""
+               }
+               if key == "" {
+                       continue
+               }
+               value := ""
+               if i := strings.Index(key, "="); i >= 0 {
+                       key, value = key[:i], key[i+1:]
+               }
+               key, err1 := url.QueryUnescape(key)
+               if err1 != nil {
+                       if err == nil {
+                               err = err1
+                       }
+                       continue
+               }
+               value, err1 = url.QueryUnescape(value)
+               if err1 != nil {
+                       if err == nil {
+                               err = err1
+                       }
+                       continue
+               }
+               values = append(values, Query{
+                       Key:   key,
+                       Value: value,
+               })
+       }
+       return values, err
+}
+
+func encodeQueries(queries []Query) string {
+       var b strings.Builder
+       for i, query := range queries {
+               b.WriteString(url.QueryEscape(query.Key))
+               b.WriteString("=")
+               b.WriteString(url.QueryEscape(query.Value))
+               if i < len(queries)-1 {
+                       b.WriteString("&")
+               }
+       }
+       return b.String()
+}
+
+func sanitizedURL(val string) (string, error) {
        u, err := url.Parse(val)
        if err != nil {
                return "", err
        }
+
+       // we use parseQuery but not u.Query to keep the order not change because
+       // url.Values is a map which has a random order.
+       queryValues, err := parseQuery(u.RawQuery)
+       if err != nil {
+               return "", err
+       }
        // sanitize the url query params
-       sanitizedQueryValues := make(url.Values, 0)
-       queryValues := u.Query()
-       for k, vals := range queryValues {
-               sk := html.EscapeString(k)
-               for _, v := range vals {
-                       sv := v
-                       sanitizedQueryValues.Add(sk, sv)
-               }
+       for i, query := range queryValues {
+               queryValues[i].Key = html.EscapeString(query.Key)
        }
-       u.RawQuery = sanitizedQueryValues.Encode()
+       u.RawQuery = encodeQueries(queryValues)
        // u.String() will also sanitize host/scheme/user/pass
        return u.String(), nil
 }
@@ -158,7 +215,7 @@ func (p *Policy) writeLinkableBuf(buff *bytes.Buffer, token *html.Token) {
                                tokenBuff.WriteString(html.EscapeString(attr.Val))
                                continue
                        }
-                       u, err := sanitizedUrl(u)
+                       u, err := sanitizedURL(u)
                        if err == nil {
                                tokenBuff.WriteString(u)
                        } else {

diff --git a/vendor/modules.txt b/vendor/modules.txt
index a30151bf342bef1565b63b6f1e0713e4ce8f0de5..346d0a749f401a7f626baa19a4cf7e1d6afd29db 100644 (file)
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -576,7 +576,7 @@ github.com/mgechev/revive/rule
 # github.com/mholt/archiver/v3 v3.5.0
 ## explicit
 github.com/mholt/archiver/v3
-# github.com/microcosm-cc/bluemonday v1.0.4
+# github.com/microcosm-cc/bluemonday v1.0.4 => github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8
 ## explicit
 github.com/microcosm-cc/bluemonday
 # github.com/minio/md5-simd v1.1.0
@@ -998,3 +998,4 @@ xorm.io/xorm/names
 xorm.io/xorm/schemas
 xorm.io/xorm/tags
 # github.com/hashicorp/go-version => github.com/6543/go-version v1.2.4
+# github.com/microcosm-cc/bluemonday => github.com/lunny/bluemonday v1.0.5-0.20201227154428-ca34796141e8