Allow all URL schemes in Markdown links by default (#24805)

- Closes #21146
- Closes #16721

## :warning: BREAKING :warning:
This changes the default behavior to now create links for any URL scheme
when the user uses the markdown form for links (`[label](URL)`), this
doesn't affect the rendering of inline links. To opt-out set the
`markdown.CUSTOM_URL_SCHEMES` setting to a list of allowed schemes, all
other schemes (except `http` and `https`) won't be allowed.

# Before

![image](https://github.com/go-gitea/gitea/assets/20454870/35fa18ce-7dda-4995-b5b3-3f360f38296d)

# After

![image](https://github.com/go-gitea/gitea/assets/20454870/0922216b-0b35-4b77-9919-21a5c21dd5d0)

---------

Signed-off-by: Yarden Shoham <git@yardenshoham.com>
Co-authored-by: Giteabot <teabot@gitea.io>

1 files changed, 6 insertions, 1 deletions

diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go
index 600ccbf3c6..a0c9ee171f 100644
--- a/modules/markup/sanitizer.go
+++ b/modules/markup/sanitizer.go
@@ -22,7 +22,10 @@ type Sanitizer struct {
 	init             sync.Once
 }
 
-var sanitizer = &Sanitizer{}
+var (
+	sanitizer     = &Sanitizer{}
+	allowAllRegex = regexp.MustCompile(".+")
+)
 
 // NewSanitizer initializes sanitizer with allowed attributes based on settings.
 // Multiple calls to this function will only create one instance of Sanitizer during
@@ -74,6 +77,8 @@ func createDefaultPolicy() *bluemonday.Policy {
 	// Custom URL-Schemes
 	if len(setting.Markdown.CustomURLSchemes) > 0 {
 		policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...)
+	} else {
+		policy.AllowURLSchemesMatching(allowAllRegex)
 	}
 
 	// Allow classes for anchors