issue-keyword class is being incorrectly stripped off spans (#16163)

Bluemonday sanitizer regexp rules are not additive, so the addition of the icons,
emojis and chroma syntax policy has led to this being stripped.

Signed-off-by: Andrew Thornton <art27@cantab.net>

diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go
index 8d2bf5d6885fa65a5f0776efb6aa1c99061f4fe6..5611bd06ad00c5a35e47e54f53a91dcad628a866 100644 (file)
--- a/modules/markup/sanitizer.go
+++ b/modules/markup/sanitizer.go
@@ -50,9 +50,6 @@ func ReplaceSanitizer() {
                sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...)
        }
 
-       // Allow keyword markup
-       sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^` + keywordClass + `$`)).OnElements("span")
-
        // Allow classes for anchors
        sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`ref-issue`)).OnElements("a")
 
@@ -68,8 +65,8 @@ func ReplaceSanitizer() {
        // Allow classes for emojis
        sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`emoji`)).OnElements("img")
 
-       // Allow icons, emojis, and chroma syntax on span
-       sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(emoji))$|^([a-z][a-z0-9]{0,2})$`)).OnElements("span")
+       // Allow icons, emojis, chroma syntax and keyword markup on span
+       sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(emoji))$|^([a-z][a-z0-9]{0,2})$|^` + keywordClass + `$`)).OnElements("span")
 
        // Allow data tables
        sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`data-table`)).OnElements("table")