diff options
| author | Alexander Scheel <alexander.m.scheel@gmail.com> | 2019-12-07 14:49:04 -0500 |
|---|---|---|
| committer | techknowlogick <techknowlogick@gitea.io> | 2019-12-07 14:49:04 -0500 |
| commit | ee7df7ba8c5e6a4b32b0c4048d2b535d8df3cbe9 (patch) | |
| tree | 73229ccd7b291bc1c48fa2aed78cdf1dd7100b6f /docs/content/doc/advanced/external-renderers.en-us.md | |
| parent | cecc31951c1b12864e13a2dd148a5e96c74d9a5c (diff) | |
| download | gitea-ee7df7ba8c5e6a4b32b0c4048d2b535d8df3cbe9.tar.gz gitea-ee7df7ba8c5e6a4b32b0c4048d2b535d8df3cbe9.zip | |
Markdown: Sanitizier Configuration (#9075)
* Support custom sanitization policy
Allowing the gitea administrator to configure sanitization policy allows
them to couple external renders and custom templates to support more
markup. In particular, the `pandoc` renderer allows generating KaTeX
annotations, wrapping them in `<span>` elements with class `math` and
either `inline` or `display` (depending on whether or not inline or
block mode was requested).
This iteration gives the administrator whitelisting powers; carefully
crafted regexes will thus let through only the desired attributes
necessary to support their custom markup.
Resolves: #9054
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
* Document new sanitization configuration
- Adds basic documentation to app.ini.sample,
- Adds an example to the Configuration Cheat Sheet, and
- Adds extended information to External Renderers section.
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
* Drop extraneous length check in newMarkupSanitizer(...)
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
* Fix plural ELEMENT and ALLOW_ATTR in docs
These were left over from their initial names. Make them singular to
conform with the current expectations.
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
Diffstat (limited to 'docs/content/doc/advanced/external-renderers.en-us.md')
| -rw-r--r-- | docs/content/doc/advanced/external-renderers.en-us.md | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/docs/content/doc/advanced/external-renderers.en-us.md b/docs/content/doc/advanced/external-renderers.en-us.md index a14f344e63..ec1ee63fb6 100644 --- a/docs/content/doc/advanced/external-renderers.en-us.md +++ b/docs/content/doc/advanced/external-renderers.en-us.md @@ -68,4 +68,22 @@ RENDER_COMMAND = rst2html.py IS_INPUT_FILE = false ``` +If your external markup relies on additional classes and attributes on the generated HTML elements, you might need to enable custom sanitizer policies. Gitea uses the [`bluemonday`](https://godoc.org/github.com/microcosm-cc/bluemonday) package as our HTML sanitizier. The example below will support [KaTeX](https://katex.org/) output from [`pandoc`](https://pandoc.org/). + +```ini +[markup.sanitizer] +; Pandoc renders TeX segments as <span>s with the "math" class, optionally +; with "inline" or "display" classes depending on context. +ELEMENT = span +ALLOW_ATTR = class +REGEXP = ^\s*((math(\s+|$)|inline(\s+|$)|display(\s+|$)))+ + +[markup.markdown] +ENABLED = true +FILE_EXTENSIONS = .md,.markdown +RENDER_COMMAND = pandoc -f markdown -t html --katex +``` + +You may redefine `ELEMENT`, `ALLOW_ATTR`, and `REGEXP` multiple times; each time all three are defined is a single policy entry. All three must be defined, but `REGEXP` may be blank to allow unconditional whitelisting of that attribute. + Once your configuration changes have been made, restart Gitea to have changes take effect. |