fix #828, may cause unintentional break in other features, but security is no.1

author: Unknwon <joe2010xtmf@163.com> 2015-01-20 13:08:49 +0800
committer: Unknwon <joe2010xtmf@163.com> 2015-01-20 13:08:49 +0800
commit: 8e384ce46c69b0e90168094f64e2ad6c787f4cbb (patch)
tree: 75f29a2b75da9b5e1dceb91137805db6af8c3dd4
parent: 0e286a0ca96ff32241b0d96515d57a37c8a3d5dc (diff)
download: gitea-8e384ce46c69b0e90168094f64e2ad6c787f4cbb.tar.gz
gitea-8e384ce46c69b0e90168094f64e2ad6c787f4cbb.zip
7 files changed, 13 insertions, 10 deletions
diff --git a/.gopmfile b/.gopmfile
index bb49c70475..b405e813d0 100644
--- a/.gopmfile
+++ b/.gopmfile
@@ -23,10 +23,10 @@ github.com/macaron-contrib/oauth2 = commit:8f394c3629
 github.com/macaron-contrib/session = 
 github.com/macaron-contrib/toolbox = commit:57127bcc89
 github.com/mattn/go-sqlite3 = commit:a80c27ba33
+github.com/microcosm-cc/bluemonday = 
 github.com/nfnt/resize = commit:8f44931448
 github.com/russross/blackfriday = commit:05b8cefd6a
 github.com/shurcooL/go = commit:48293cbc7a
-github.com/saintfish/chardet = commit:3af4cd4741
 gopkg.in/ini.v1 = commit:28ad8c408b
 gopkg.in/redis.v2 = commit:e617904962
 
diff --git a/gogs.go b/gogs.go
index 6b8978f2f7..5711452d7c 100644
--- a/gogs.go
+++ b/gogs.go
@@ -17,7 +17,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-const APP_VER = "0.5.11.0103 Beta"
+const APP_VER = "0.5.12.0120 Beta"
 
 func init() {
 	runtime.GOMAXPROCS(runtime.NumCPU())
diff --git a/modules/base/template.go b/modules/base/template.go
index d96617c05f..829999d1c9 100644
--- a/modules/base/template.go
+++ b/modules/base/template.go
@@ -13,15 +13,19 @@ import (
 	"strings"
 	"time"
 
+	"github.com/microcosm-cc/bluemonday"
 	"golang.org/x/net/html/charset"
 	"golang.org/x/text/transform"
 
-	"github.com/gogits/gogs/modules/setting"
 	"github.com/gogits/chardet"
+	"github.com/gogits/gogs/modules/setting"
 )
 
+// FIXME: use me to Markdown API renders
+var p = bluemonday.UGCPolicy()
+
 func Str2html(raw string) template.HTML {
-	return template.HTML(raw)
+	return template.HTML(p.Sanitize(raw))
 }
 
 func Range(l int) []int {
@@ -113,7 +117,6 @@ var TemplateFuncs template.FuncMap = map[string]interface{}{
 		return fmt.Sprint(time.Since(startTime).Nanoseconds()/1e6) + "ms"
 	},
 	"AvatarLink": AvatarLink,
-	"str2html":   Str2html, // TODO: Legacy
 	"Str2html":   Str2html,
 	"TimeSince":  TimeSince,
 	"FileSize":   FileSize,
diff --git a/templates/.VERSION b/templates/.VERSION
index 3146279bd0..36f8bef5b7 100644
--- a/templates/.VERSION
+++ b/templates/.VERSION
@@ -1 +1 @@
-0.5.11.0103 Beta
-\ No newline at end of file
+0.5.12.0120 Beta
+\ No newline at end of file
diff --git a/templates/repo/issue/milestone.tmpl b/templates/repo/issue/milestone.tmpl
index 8a5751c19b..8fc3c25347 100644
--- a/templates/repo/issue/milestone.tmpl
+++ b/templates/repo/issue/milestone.tmpl
@@ -32,7 +32,7 @@
                         <a href="{{$.RepoLink}}/issues?milestone={{.Index}}{{if .IsClosed}}&state=closed{{end}}">Issues</a>
                     </p>
                     <hr/>
-                    <p class="description">{{.RenderedContent | str2html}}</p>
+                    <p class="description">{{.RenderedContent | Str2html}}</p>
                 </div>
                 {{end}}
             </div>
diff --git a/templates/repo/issue/view.tmpl b/templates/repo/issue/view.tmpl
index 738e0c3450..31231515fc 100644
--- a/templates/repo/issue/view.tmpl
+++ b/templates/repo/issue/view.tmpl
@@ -25,7 +25,7 @@
                     <div class="panel panel-default issue-content">
                         <div class="panel-body">
                             <div class="content markdown">
-                                {{str2html .Issue.RenderedContent}}
+                                {{Str2html .Issue.RenderedContent}}
                             </div>
                             <div class="issue-edit-content hidden">
                                 <div class="form-group">
@@ -73,7 +73,7 @@
                             </div>
                             <div class="panel-body markdown">
                                 {{if len .Content}}
-                                {{str2html .Content}}
+                                {{Str2html .Content}}
                                 {{else}}
                                 <i>No comment entered</i>
                                 {{end}}
diff --git a/templates/repo/release/list.tmpl b/templates/repo/release/list.tmpl
index 93dd896a64..79e69b7a9a 100644
--- a/templates/repo/release/list.tmpl
+++ b/templates/repo/release/list.tmpl
@@ -39,7 +39,7 @@
                                 <span class="ahead">{{$.i18n.Tr "repo.release.ahead" .NumCommitsBehind .Target | Str2html}}</span>
                             </p>
                             <div class="markdown desc">
-                                {{str2html .Note}}
+                                {{Str2html .Note}}
                             </div>
                             <p class="download">
                                 <a class="btn btn-gray btn-large btn-radius" href="{{$.RepoLink}}/archive/{{.TagName}}.zip" rel="nofollow"><i class="fa fa-download"></i> {{$.i18n.Tr "repo.release.source_code"}} (ZIP)</a>
author	Unknwon <joe2010xtmf@163.com>	2015-01-20 13:08:49 +0800
committer	Unknwon <joe2010xtmf@163.com>	2015-01-20 13:08:49 +0800
commit	8e384ce46c69b0e90168094f64e2ad6c787f4cbb (patch)
tree	75f29a2b75da9b5e1dceb91137805db6af8c3dd4
parent	0e286a0ca96ff32241b0d96515d57a37c8a3d5dc (diff)
download	gitea-8e384ce46c69b0e90168094f64e2ad6c787f4cbb.tar.gz gitea-8e384ce46c69b0e90168094f64e2ad6c787f4cbb.zip