"github.com/Unknwon/cae/zip"
"github.com/Unknwon/com"
+ "github.com/gogits/gogs/modules/base"
"github.com/gogits/gogs/modules/git"
"github.com/gogits/gogs/modules/log"
"github.com/gogits/gogs/modules/process"
)
var (
- DescriptionPattern = regexp.MustCompile(`https?://\S+`)
+ DescPattern = regexp.MustCompile(`https?://\S+`)
)
func LoadRepoConfig() {
ss := html.EscapeString(s)
return fmt.Sprintf(`<a href="%s" target="_blank">%s</a>`, ss, ss)
}
- return template.HTML(DescriptionPattern.ReplaceAllStringFunc(repo.Description, sanitize))
+ return template.HTML(DescPattern.ReplaceAllStringFunc(base.XSSString(repo.Description), sanitize))
}
// IsRepositoryExist returns true if the repository with given name under user has already existed.
"regexp"
"strings"
- "github.com/gogits/gfm"
+ "github.com/russross/blackfriday"
+
"github.com/gogits/gogs/modules/setting"
)
}
type CustomRender struct {
- gfm.Renderer
+ blackfriday.Renderer
urlPrefix string
}
func RenderRawMarkdown(body []byte, urlPrefix string) []byte {
htmlFlags := 0
- // htmlFlags |= gfm.HTML_USE_XHTML
- // htmlFlags |= gfm.HTML_USE_SMARTYPANTS
- // htmlFlags |= gfm.HTML_SMARTYPANTS_FRACTIONS
- // htmlFlags |= gfm.HTML_SMARTYPANTS_LATEX_DASHES
- // htmlFlags |= gfm.HTML_SKIP_HTML
- htmlFlags |= gfm.HTML_SKIP_STYLE
- htmlFlags |= gfm.HTML_SKIP_SCRIPT
- htmlFlags |= gfm.HTML_GITHUB_BLOCKCODE
- htmlFlags |= gfm.HTML_OMIT_CONTENTS
- // htmlFlags |= gfm.HTML_COMPLETE_PAGE
+ // htmlFlags |= blackfriday.HTML_USE_XHTML
+ // htmlFlags |= blackfriday.HTML_USE_SMARTYPANTS
+ // htmlFlags |= blackfriday.HTML_SMARTYPANTS_FRACTIONS
+ // htmlFlags |= blackfriday.HTML_SMARTYPANTS_LATEX_DASHES
+ // htmlFlags |= blackfriday.HTML_SKIP_HTML
+ htmlFlags |= blackfriday.HTML_SKIP_STYLE
+ // htmlFlags |= blackfriday.HTML_SKIP_SCRIPT
+ // htmlFlags |= blackfriday.HTML_GITHUB_BLOCKCODE
+ htmlFlags |= blackfriday.HTML_OMIT_CONTENTS
+ // htmlFlags |= blackfriday.HTML_COMPLETE_PAGE
renderer := &CustomRender{
- Renderer: gfm.HtmlRenderer(htmlFlags, "", ""),
+ Renderer: blackfriday.HtmlRenderer(htmlFlags, "", ""),
urlPrefix: urlPrefix,
}
// set up the parser
extensions := 0
- extensions |= gfm.EXTENSION_NO_INTRA_EMPHASIS
- extensions |= gfm.EXTENSION_TABLES
- extensions |= gfm.EXTENSION_FENCED_CODE
- extensions |= gfm.EXTENSION_AUTOLINK
- extensions |= gfm.EXTENSION_STRIKETHROUGH
- extensions |= gfm.EXTENSION_HARD_LINE_BREAK
- extensions |= gfm.EXTENSION_SPACE_HEADERS
- extensions |= gfm.EXTENSION_NO_EMPTY_LINE_BEFORE_BLOCK
-
- body = gfm.Markdown(body, renderer, extensions)
+ extensions |= blackfriday.EXTENSION_NO_INTRA_EMPHASIS
+ extensions |= blackfriday.EXTENSION_TABLES
+ extensions |= blackfriday.EXTENSION_FENCED_CODE
+ extensions |= blackfriday.EXTENSION_AUTOLINK
+ extensions |= blackfriday.EXTENSION_STRIKETHROUGH
+ extensions |= blackfriday.EXTENSION_HARD_LINE_BREAK
+ extensions |= blackfriday.EXTENSION_SPACE_HEADERS
+ extensions |= blackfriday.EXTENSION_NO_EMPTY_LINE_BEFORE_BLOCK
+
+ body = blackfriday.Markdown(body, renderer, extensions)
return body
}
func RenderMarkdown(rawBytes []byte, urlPrefix string) []byte {
body := RenderSpecialLink(rawBytes, urlPrefix)
body = RenderRawMarkdown(body, urlPrefix)
+ body = XSS(body)
return body
}
"hash"
"html/template"
"math"
+ "regexp"
"strings"
"time"
format = replacer.Replace(format)
return t.Format(format)
}
+
+type xssFilter struct {
+ reg *regexp.Regexp
+ repl []byte
+}
+
+var (
+ whiteSpace = []byte(" ")
+ xssFilters = []xssFilter{
+ {regexp.MustCompile(`\ [ONon]\w*=["]*`), whiteSpace},
+ {regexp.MustCompile(`<[SCRIPTscript]{6}`), whiteSpace},
+ {regexp.MustCompile(`=[` + "`" + `'"]*[JAVASCRIPTjavascript \t\0
]*:`), whiteSpace},
+ }
+)
+
+// XSS goes through all the XSS filters to make user input content as safe as possible.
+func XSS(in []byte) []byte {
+ for _, filter := range xssFilters {
+ in = filter.reg.ReplaceAll(in, filter.repl)
+ }
+ return in
+}
+
+func XSSString(in string) string {
+ return string(XSS([]byte(in)))
+}