diff options
| author | zeripath <art27@cantab.net> | 2020-02-28 20:05:12 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-02-28 20:05:12 +0000 |
| commit | 154b137b6d97e11c3d52d3b5844d61f8f14d26b9 (patch) | |
| tree | 8c106401666bce0f394c11a3ec18b290cff89b4c /modules/markup/sanitizer.go | |
| parent | e0ecddc11b799800262363808a1f440a6219dff1 (diff) | |
| download | gitea-154b137b6d97e11c3d52d3b5844d61f8f14d26b9.tar.gz gitea-154b137b6d97e11c3d52d3b5844d61f8f14d26b9.zip | |
Relax sanitization as per https://github.com/jch/html-pipeline (#10527)
Looking at github/markup#245 it is clear that GH uses https://github.com/jch/html-pipeline to sanitize. This PR relaxes our sanitization to more closely match this.
Fixes #10471
and likely others...
Diffstat (limited to 'modules/markup/sanitizer.go')
| -rw-r--r-- | modules/markup/sanitizer.go | 38 |
1 files changed, 35 insertions, 3 deletions
diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go index 49f681f05a..ee9944723e 100644 --- a/modules/markup/sanitizer.go +++ b/modules/markup/sanitizer.go @@ -50,12 +50,44 @@ func ReplaceSanitizer() { // Allow keyword markup sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^` + keywordClass + `$`)).OnElements("span") - // Allow <kbd> tags for keyboard shortcut styling - sanitizer.policy.AllowElements("kbd") - // Allow classes for anchors sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`ref-issue`)).OnElements("a") + // Allow generally safe attributes + generalSafeAttrs := []string{"abbr", "accept", "accept-charset", + "accesskey", "action", "align", "alt", + "aria-describedby", "aria-hidden", "aria-label", "aria-labelledby", + "axis", "border", "cellpadding", "cellspacing", "char", + "charoff", "charset", "checked", + "clear", "cols", "colspan", "color", + "compact", "coords", "datetime", "dir", + "disabled", "enctype", "for", "frame", + "headers", "height", "hreflang", + "hspace", "ismap", "label", "lang", + "maxlength", "media", "method", + "multiple", "name", "nohref", "noshade", + "nowrap", "open", "prompt", "readonly", "rel", "rev", + "rows", "rowspan", "rules", "scope", + "selected", "shape", "size", "span", + "start", "summary", "tabindex", "target", + "title", "type", "usemap", "valign", "value", + "vspace", "width", "itemprop", + } + + generalSafeElements := []string{ + "h1", "h2", "h3", "h4", "h5", "h6", "h7", "h8", "br", "b", "i", "strong", "em", "a", "pre", "code", "img", "tt", + "div", "ins", "del", "sup", "sub", "p", "ol", "ul", "table", "thead", "tbody", "tfoot", "blockquote", + "dl", "dt", "dd", "kbd", "q", "samp", "var", "hr", "ruby", "rt", "rp", "li", "tr", "td", "th", "s", "strike", "summary", + "details", "caption", "figure", "figcaption", + "abbr", "bdo", "cite", "dfn", "mark", "small", "span", "time", "wbr", + } + + sanitizer.policy.AllowAttrs(generalSafeAttrs...).OnElements(generalSafeElements...) + + sanitizer.policy.AllowAttrs("itemscope", "itemtype").OnElements("div") + + // FIXME: Need to handle longdesc in img but there is no easy way to do it + // Custom keyword markup for _, rule := range setting.ExternalSanitizerRules { if rule.Regexp != nil { |