diff options
| author | Alexander Scheel <alexander.m.scheel@gmail.com> | 2019-12-07 14:49:04 -0500 |
|---|---|---|
| committer | techknowlogick <techknowlogick@gitea.io> | 2019-12-07 14:49:04 -0500 |
| commit | ee7df7ba8c5e6a4b32b0c4048d2b535d8df3cbe9 (patch) | |
| tree | 73229ccd7b291bc1c48fa2aed78cdf1dd7100b6f /modules/markup | |
| parent | cecc31951c1b12864e13a2dd148a5e96c74d9a5c (diff) | |
| download | gitea-ee7df7ba8c5e6a4b32b0c4048d2b535d8df3cbe9.tar.gz gitea-ee7df7ba8c5e6a4b32b0c4048d2b535d8df3cbe9.zip | |
Markdown: Sanitizier Configuration (#9075)
* Support custom sanitization policy
Allowing the gitea administrator to configure sanitization policy allows
them to couple external renders and custom templates to support more
markup. In particular, the `pandoc` renderer allows generating KaTeX
annotations, wrapping them in `<span>` elements with class `math` and
either `inline` or `display` (depending on whether or not inline or
block mode was requested).
This iteration gives the administrator whitelisting powers; carefully
crafted regexes will thus let through only the desired attributes
necessary to support their custom markup.
Resolves: #9054
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
* Document new sanitization configuration
- Adds basic documentation to app.ini.sample,
- Adds an example to the Configuration Cheat Sheet, and
- Adds extended information to External Renderers section.
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
* Drop extraneous length check in newMarkupSanitizer(...)
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
* Fix plural ELEMENT and ALLOW_ATTR in docs
These were left over from their initial names. Make them singular to
conform with the current expectations.
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
Diffstat (limited to 'modules/markup')
| -rw-r--r-- | modules/markup/sanitizer.go | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go index 0ebb3ff88b..f7789a9e56 100644 --- a/modules/markup/sanitizer.go +++ b/modules/markup/sanitizer.go @@ -50,6 +50,15 @@ func ReplaceSanitizer() { // Allow <kbd> tags for keyboard shortcut styling sanitizer.policy.AllowElements("kbd") + + // Custom keyword markup + for _, rule := range setting.ExternalSanitizerRules { + if rule.Regexp != nil { + sanitizer.policy.AllowAttrs(rule.AllowAttr).Matching(rule.Regexp).OnElements(rule.Element) + } else { + sanitizer.policy.AllowAttrs(rule.AllowAttr).OnElements(rule.Element) + } + } } // Sanitize takes a string that contains a HTML fragment or document and applies policy whitelist. |