diff options
| author | Alexander Scheel <alexander.m.scheel@gmail.com> | 2020-04-29 07:34:59 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-04-29 12:34:59 +0100 |
| commit | 1bf9e44bda5c8cd1fd72622cffce8ec291db79c5 (patch) | |
| tree | 7baebecfcb0367f41306cd37945053bf7519226d /docs/content/doc/advanced/config-cheat-sheet.en-us.md | |
| parent | 6b6f20b6d43b6263320ee872799373f33a751304 (diff) | |
| download | gitea-1bf9e44bda5c8cd1fd72622cffce8ec291db79c5.tar.gz gitea-1bf9e44bda5c8cd1fd72622cffce8ec291db79c5.zip | |
Fix sanitizer config - multiple rules (#11133)
In #9888, it was reported that my earlier pull request #9075 didn't quite function as expected. I was quite hopeful the `ValuesWithShadow()` worked as expected (and, I thought my testing showed it did) but I guess not. @zeripath proposed an alternative syntax which I like:
```ini
[markup.sanitizer.1]
ELEMENT=a
ALLOW_ATTR=target
REGEXP=something
[markup.sanitizer.2]
ELEMENT=a
ALLOW_ATTR=target
REGEXP=something
```
This was quite easy to adopt into the existing code. I've done so in a semi-backwards-compatible manner:
- The value from `.Value()` is used for each element.
- We parse `[markup.sanitizer]` and all `[markup.sanitizer.*]` sections and add them as rules.
This means that existing configs will load one rule (not all rules). It also means people can use string identifiers (`[markup.sanitiser.KaTeX]`) if they prefer, instead of numbered ones.
Co-authored-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
Diffstat (limited to 'docs/content/doc/advanced/config-cheat-sheet.en-us.md')
| -rw-r--r-- | docs/content/doc/advanced/config-cheat-sheet.en-us.md | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 3f0eca308a..000b65f5a1 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -658,7 +658,7 @@ Two special environment variables are passed to the render command: Gitea supports customizing the sanitization policy for rendered HTML. The example below will support KaTeX output from pandoc. ```ini -[markup.sanitizer] +[markup.sanitizer.TeX] ; Pandoc renders TeX segments as <span>s with the "math" class, optionally ; with "inline" or "display" classes depending on context. ELEMENT = span @@ -670,7 +670,7 @@ REGEXP = ^\s*((math(\s+|$)|inline(\s+|$)|display(\s+|$)))+ - `ALLOW_ATTR`: The attribute this policy allows. Must be non-empty. - `REGEXP`: A regex to match the contents of the attribute against. Must be present but may be empty for unconditional whitelisting of this attribute. -You may redefine `ELEMENT`, `ALLOW_ATTR`, and `REGEXP` multiple times; each time all three are defined is a single policy entry. +Multiple sanitisation rules can be defined by adding unique subsections, e.g. `[markup.sanitizer.TeX-2]`. ## Time (`time`) |