aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwxiaoguang <wxiaoguang@gmail.com>2024-11-18 11:42:30 +0800
committerGitHub <noreply@github.com>2024-11-18 03:42:30 +0000
commit578c02d6529a589dfa5470462e8ca9ab5fa4a5fc (patch)
treeea63e05c76b1d775a865f6354e509526dbe5f206
parent6555cfcac3dc784c0c46c0a42e9cf6dbcbee2517 (diff)
downloadgitea-578c02d6529a589dfa5470462e8ca9ab5fa4a5fc.tar.gz
gitea-578c02d6529a589dfa5470462e8ca9ab5fa4a5fc.zip
Improve some sanitizer rules (#32534)
This is a backport-only fix for 1.22 1.23 has a proper fix #32533
-rw-r--r--modules/markup/asciicast/asciicast.go2
-rw-r--r--modules/markup/csv/csv.go6
-rw-r--r--modules/markup/sanitizer_default.go6
3 files changed, 7 insertions, 7 deletions
diff --git a/modules/markup/asciicast/asciicast.go b/modules/markup/asciicast/asciicast.go
index 0678062340..873029c1bd 100644
--- a/modules/markup/asciicast/asciicast.go
+++ b/modules/markup/asciicast/asciicast.go
@@ -39,7 +39,7 @@ const (
// SanitizerRules implements markup.Renderer
func (Renderer) SanitizerRules() []setting.MarkupSanitizerRule {
return []setting.MarkupSanitizerRule{
- {Element: "div", AllowAttr: "class", Regexp: regexp.MustCompile(playerClassName)},
+ {Element: "div", AllowAttr: "class", Regexp: regexp.MustCompile("^" + playerClassName + "$")},
{Element: "div", AllowAttr: playerSrcAttr},
}
}
diff --git a/modules/markup/csv/csv.go b/modules/markup/csv/csv.go
index 1dd26eb8ac..c700fb8dfc 100644
--- a/modules/markup/csv/csv.go
+++ b/modules/markup/csv/csv.go
@@ -37,9 +37,9 @@ func (Renderer) Extensions() []string {
// SanitizerRules implements markup.Renderer
func (Renderer) SanitizerRules() []setting.MarkupSanitizerRule {
return []setting.MarkupSanitizerRule{
- {Element: "table", AllowAttr: "class", Regexp: regexp.MustCompile(`data-table`)},
- {Element: "th", AllowAttr: "class", Regexp: regexp.MustCompile(`line-num`)},
- {Element: "td", AllowAttr: "class", Regexp: regexp.MustCompile(`line-num`)},
+ {Element: "table", AllowAttr: "class", Regexp: regexp.MustCompile(`^data-table$`)},
+ {Element: "th", AllowAttr: "class", Regexp: regexp.MustCompile(`^line-num$`)},
+ {Element: "td", AllowAttr: "class", Regexp: regexp.MustCompile(`^line-num$`)},
}
}
diff --git a/modules/markup/sanitizer_default.go b/modules/markup/sanitizer_default.go
index 669dc24eae..1f989b54c1 100644
--- a/modules/markup/sanitizer_default.go
+++ b/modules/markup/sanitizer_default.go
@@ -67,10 +67,10 @@ func (st *Sanitizer) createDefaultPolicy() *bluemonday.Policy {
}
// Allow classes for anchors
- policy.AllowAttrs("class").Matching(regexp.MustCompile(`ref-issue( ref-external-issue)?`)).OnElements("a")
+ policy.AllowAttrs("class").Matching(regexp.MustCompile(`^ref-issue( ref-external-issue)?$`)).OnElements("a")
// Allow classes for task lists
- policy.AllowAttrs("class").Matching(regexp.MustCompile(`task-list-item`)).OnElements("li")
+ policy.AllowAttrs("class").Matching(regexp.MustCompile(`^task-list-item$`)).OnElements("li")
// Allow classes for org mode list item status.
policy.AllowAttrs("class").Matching(regexp.MustCompile(`^(unchecked|checked|indeterminate)$`)).OnElements("li")
@@ -79,7 +79,7 @@ func (st *Sanitizer) createDefaultPolicy() *bluemonday.Policy {
policy.AllowAttrs("class").Matching(regexp.MustCompile(`^icon(\s+[\p{L}\p{N}_-]+)+$`)).OnElements("i")
// Allow classes for emojis
- policy.AllowAttrs("class").Matching(regexp.MustCompile(`emoji`)).OnElements("img")
+ policy.AllowAttrs("class").Matching(regexp.MustCompile(`^emoji$`)).OnElements("img")
// Allow icons, emojis, chroma syntax and keyword markup on span
policy.AllowAttrs("class").Matching(regexp.MustCompile(`^((icon(\s+[\p{L}\p{N}_-]+)+)|(emoji)|(language-math display)|(language-math inline))$|^([a-z][a-z0-9]{0,2})$|^` + keywordClass + `$`)).OnElements("span")