summaryrefslogtreecommitdiffstats
path: root/modules/markup/sanitizer.go
diff options
context:
space:
mode:
authorKN4CK3R <admin@oldschoolhack.me>2021-11-19 11:46:47 +0100
committerGitHub <noreply@github.com>2021-11-19 18:46:47 +0800
commita09b40de8d1dae7107437cfba42cee201fcd6d42 (patch)
treea03178bec52d12444c6daf1b48d0f84e8486fa30 /modules/markup/sanitizer.go
parent381e131fc8d1a3d93002dfbbf853d9d4aab2c547 (diff)
downloadgitea-a09b40de8d1dae7107437cfba42cee201fcd6d42.tar.gz
gitea-a09b40de8d1dae7107437cfba42cee201fcd6d42.zip
Prevent double sanitize (#16386)
* Prevent double sanitize. * Use SanitizeReaderToWriter. At the moment `actualRender` uses `SanitizeReader` to sanitize the output. But `SanitizeReader` gets called in `markup.render` too so the output gets sanitized twice. I moved the `SanitizeReader` call into `RenderRaw` because this method does not use `markup.render`. I would like to remove the `RenderRaw`/`RenderRawString` methods too because they are only called from tests, the fuzzer and the `/markup/raw` api endpoint. This endpoint is not in use so I think we could remove them. If we really in the future need a method to render markdown without PostProcessing we could achieve this with a more flexible `renderer.NeedPostProcess` method.
Diffstat (limited to 'modules/markup/sanitizer.go')
-rw-r--r--modules/markup/sanitizer.go5
1 files changed, 2 insertions, 3 deletions
diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go
index 5ff26a3109..92dd19f0a1 100644
--- a/modules/markup/sanitizer.go
+++ b/modules/markup/sanitizer.go
@@ -6,7 +6,6 @@
package markup
import (
- "bytes"
"io"
"regexp"
"sync"
@@ -149,11 +148,11 @@ func Sanitize(s string) string {
}
// SanitizeReader sanitizes a Reader
-func SanitizeReader(r io.Reader, renderer string) *bytes.Buffer {
+func SanitizeReader(r io.Reader, renderer string, w io.Writer) error {
NewSanitizer()
policy, exist := sanitizer.rendererPolicies[renderer]
if !exist {
policy = sanitizer.defaultPolicy
}
- return policy.SanitizeReader(r)
+ return policy.SanitizeReaderToWriter(r, w)
}