diff options
| author | KN4CK3R <admin@oldschoolhack.me> | 2021-11-19 11:46:47 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-11-19 18:46:47 +0800 |
| commit | a09b40de8d1dae7107437cfba42cee201fcd6d42 (patch) | |
| tree | a03178bec52d12444c6daf1b48d0f84e8486fa30 /modules/markup/renderer.go | |
| parent | 381e131fc8d1a3d93002dfbbf853d9d4aab2c547 (diff) | |
| download | gitea-a09b40de8d1dae7107437cfba42cee201fcd6d42.tar.gz gitea-a09b40de8d1dae7107437cfba42cee201fcd6d42.zip | |
Prevent double sanitize (#16386)
* Prevent double sanitize.
* Use SanitizeReaderToWriter.
At the moment `actualRender` uses `SanitizeReader` to sanitize the output. But `SanitizeReader` gets called in `markup.render` too so the output gets sanitized twice.
I moved the `SanitizeReader` call into `RenderRaw` because this method does not use `markup.render`. I would like to remove the `RenderRaw`/`RenderRawString` methods too because they are only called from tests, the fuzzer and the `/markup/raw` api endpoint. This endpoint is not in use so I think we could remove them. If we really in the future need a method to render markdown without PostProcessing we could achieve this with a more flexible `renderer.NeedPostProcess` method.
Diffstat (limited to 'modules/markup/renderer.go')
| -rw-r--r-- | modules/markup/renderer.go | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/modules/markup/renderer.go b/modules/markup/renderer.go index 3cd7cea700..0ac0daaea9 100644 --- a/modules/markup/renderer.go +++ b/modules/markup/renderer.go @@ -144,8 +144,7 @@ func render(ctx *RenderContext, renderer Renderer, input io.Reader, output io.Wr wg.Add(1) go func() { - buf := SanitizeReader(pr2, renderer.Name()) - _, err = io.Copy(output, buf) + err = SanitizeReader(pr2, renderer.Name(), output) _ = pr2.Close() wg.Done() }() |