diff options
| author | Lunny Xiao <xiaolunwen@gmail.com> | 2022-06-16 11:33:23 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-16 11:33:23 +0800 |
| commit | b01dce2a6e98c25915a8e98afb741a1c34d05aba (patch) | |
| tree | b391ae8dff3ed5270b9721900bdc667b05fd555c /custom | |
| parent | 7d1770cd714416bd80f114681d19e3076a0b0966 (diff) | |
| download | gitea-b01dce2a6e98c25915a8e98afb741a1c34d05aba.tar.gz gitea-b01dce2a6e98c25915a8e98afb741a1c34d05aba.zip | |
Allow render HTML with css/js external links (#19017)
* Allow render HTML with css/js external links
* Fix bug because of filename escape chars
* Fix lint
* Update docs about new configuration item
* Fix bug of render HTML in sub directory
* Add CSP head for displaying iframe in rendering file
* Fix test
* Apply suggestions from code review
Co-authored-by: delvh <dev.lh@web.de>
* Some improvements
* some improvement
* revert change in SanitizerDisabled of external renderer
* Add sandbox for iframe and support allow-scripts and allow-same-origin
* refactor
* fix
* fix lint
* fine tune
* use single option RENDER_CONTENT_MODE, use sandbox=allow-scripts
* fine tune CSP
* Apply suggestions from code review
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Diffstat (limited to 'custom')
| -rw-r--r-- | custom/conf/app.example.ini | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 8e082233c1..065c57ef51 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -2181,8 +2181,11 @@ PATH = ;RENDER_COMMAND = "asciidoc --out-file=- -" ;; Don't pass the file on STDIN, pass the filename as argument instead. ;IS_INPUT_FILE = false -; Don't filter html tags and attributes if true -;DISABLE_SANITIZER = false +;; How the content will be rendered. +;; * sanitized: Sanitize the content and render it inside current page, default to only allow a few HTML tags and attributes. Customized sanitizer rules can be defined in [markup.sanitizer.*] . +;; * no-sanitizer: Disable the sanitizer and render the content inside current page. It's **insecure** and may lead to XSS attack if the content contains malicious code. +;; * iframe: Render the content in a separate standalone page and embed it into current page by iframe. The iframe is in sandbox mode with same-origin disabled, and the JS code are safely isolated from parent page. +;RENDER_CONTENT_MODE=sanitized ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; |