diff options
| author | Lunny Xiao <xiaolunwen@gmail.com> | 2017-09-17 01:17:57 +0800 |
|---|---|---|
| committer | Lauris BH <lauris@nix.lv> | 2017-09-16 20:17:57 +0300 |
| commit | 52e11b24bf5e395d83ea58c1b0fd6922efe16add (patch) | |
| tree | f00c9da35c1f2afc3446b8607217e4d4315959ec /modules/markup/sanitizer.go | |
| parent | 911ca0215377b34559f2304a22dce863e219b255 (diff) | |
| download | gitea-52e11b24bf5e395d83ea58c1b0fd6922efe16add.tar.gz gitea-52e11b24bf5e395d83ea58c1b0fd6922efe16add.zip | |
Restructure markup & markdown to prepare for multiple markup languageā¦ (#2411)
* restructure markup & markdown to prepare for multiple markup languages support
* adjust some functions between markdown and markup
* fix tests
* improve the comments
Diffstat (limited to 'modules/markup/sanitizer.go')
| -rw-r--r-- | modules/markup/sanitizer.go | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go new file mode 100644 index 0000000000..2ec43cf4fd --- /dev/null +++ b/modules/markup/sanitizer.go @@ -0,0 +1,58 @@ +// Copyright 2017 The Gitea Authors. All rights reserved. +// Copyright 2017 The Gogs Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package markup + +import ( + "regexp" + "sync" + + "code.gitea.io/gitea/modules/setting" + + "github.com/microcosm-cc/bluemonday" +) + +// Sanitizer is a protection wrapper of *bluemonday.Policy which does not allow +// any modification to the underlying policies once it's been created. +type Sanitizer struct { + policy *bluemonday.Policy + init sync.Once +} + +var sanitizer = &Sanitizer{} + +// NewSanitizer initializes sanitizer with allowed attributes based on settings. +// Multiple calls to this function will only create one instance of Sanitizer during +// entire application lifecycle. +func NewSanitizer() { + sanitizer.init.Do(func() { + sanitizer.policy = bluemonday.UGCPolicy() + // We only want to allow HighlightJS specific classes for code blocks + sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^language-\w+$`)).OnElements("code") + + // Checkboxes + sanitizer.policy.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input") + sanitizer.policy.AllowAttrs("checked", "disabled").OnElements("input") + + // Custom URL-Schemes + sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) + }) +} + +// Sanitize takes a string that contains a HTML fragment or document and applies policy whitelist. +func Sanitize(s string) string { + NewSanitizer() + return sanitizer.policy.Sanitize(s) +} + +// SanitizeBytes takes a []byte slice that contains a HTML fragment or document and applies policy whitelist. +func SanitizeBytes(b []byte) []byte { + if len(b) == 0 { + // nothing to sanitize + return b + } + NewSanitizer() + return sanitizer.policy.SanitizeBytes(b) +} |