fix #828, may cause unintentional break in other features, but security is no.1

author: Unknwon <joe2010xtmf@163.com> 2015-01-20 13:08:49 +0800
committer: Unknwon <joe2010xtmf@163.com> 2015-01-20 13:08:49 +0800
commit: 8e384ce46c69b0e90168094f64e2ad6c787f4cbb (patch)
tree: 75f29a2b75da9b5e1dceb91137805db6af8c3dd4 /modules/base
parent: 0e286a0ca96ff32241b0d96515d57a37c8a3d5dc (diff)
download: gitea-8e384ce46c69b0e90168094f64e2ad6c787f4cbb.tar.gz
gitea-8e384ce46c69b0e90168094f64e2ad6c787f4cbb.zip
1 files changed, 6 insertions, 3 deletions
diff --git a/modules/base/template.go b/modules/base/template.go
index d96617c05f..829999d1c9 100644
--- a/modules/base/template.go
+++ b/modules/base/template.go
@@ -13,15 +13,19 @@ import (
 	"strings"
 	"time"
 
+	"github.com/microcosm-cc/bluemonday"
 	"golang.org/x/net/html/charset"
 	"golang.org/x/text/transform"
 
-	"github.com/gogits/gogs/modules/setting"
 	"github.com/gogits/chardet"
+	"github.com/gogits/gogs/modules/setting"
 )
 
+// FIXME: use me to Markdown API renders
+var p = bluemonday.UGCPolicy()
+
 func Str2html(raw string) template.HTML {
-	return template.HTML(raw)
+	return template.HTML(p.Sanitize(raw))
 }
 
 func Range(l int) []int {
@@ -113,7 +117,6 @@ var TemplateFuncs template.FuncMap = map[string]interface{}{
 		return fmt.Sprint(time.Since(startTime).Nanoseconds()/1e6) + "ms"
 	},
 	"AvatarLink": AvatarLink,
-	"str2html":   Str2html, // TODO: Legacy
 	"Str2html":   Str2html,
 	"TimeSince":  TimeSince,
 	"FileSize":   FileSize,
author	Unknwon <joe2010xtmf@163.com>	2015-01-20 13:08:49 +0800
committer	Unknwon <joe2010xtmf@163.com>	2015-01-20 13:08:49 +0800
commit	8e384ce46c69b0e90168094f64e2ad6c787f4cbb (patch)
tree	75f29a2b75da9b5e1dceb91137805db6af8c3dd4 /modules/base
parent	0e286a0ca96ff32241b0d96515d57a37c8a3d5dc (diff)
download	gitea-8e384ce46c69b0e90168094f64e2ad6c787f4cbb.tar.gz gitea-8e384ce46c69b0e90168094f64e2ad6c787f4cbb.zip