diff options
| author | Lunny Xiao <xiaolunwen@gmail.com> | 2022-06-16 11:33:23 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-16 11:33:23 +0800 |
| commit | b01dce2a6e98c25915a8e98afb741a1c34d05aba (patch) | |
| tree | b391ae8dff3ed5270b9721900bdc667b05fd555c /modules/setting | |
| parent | 7d1770cd714416bd80f114681d19e3076a0b0966 (diff) | |
| download | gitea-b01dce2a6e98c25915a8e98afb741a1c34d05aba.tar.gz gitea-b01dce2a6e98c25915a8e98afb741a1c34d05aba.zip | |
Allow render HTML with css/js external links (#19017)
* Allow render HTML with css/js external links
* Fix bug because of filename escape chars
* Fix lint
* Update docs about new configuration item
* Fix bug of render HTML in sub directory
* Add CSP head for displaying iframe in rendering file
* Fix test
* Apply suggestions from code review
Co-authored-by: delvh <dev.lh@web.de>
* Some improvements
* some improvement
* revert change in SanitizerDisabled of external renderer
* Add sandbox for iframe and support allow-scripts and allow-same-origin
* refactor
* fix
* fix lint
* fine tune
* use single option RENDER_CONTENT_MODE, use sandbox=allow-scripts
* fine tune CSP
* Apply suggestions from code review
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Diffstat (limited to 'modules/setting')
| -rw-r--r-- | modules/setting/markup.go | 37 |
1 files changed, 29 insertions, 8 deletions
diff --git a/modules/setting/markup.go b/modules/setting/markup.go index 5fb6af6838..fd41bdd7cc 100644 --- a/modules/setting/markup.go +++ b/modules/setting/markup.go @@ -20,6 +20,12 @@ var ( MermaidMaxSourceCharacters int ) +const ( + RenderContentModeSanitized = "sanitized" + RenderContentModeNoSanitizer = "no-sanitizer" + RenderContentModeIframe = "iframe" +) + // MarkupRenderer defines the external parser configured in ini type MarkupRenderer struct { Enabled bool @@ -29,7 +35,7 @@ type MarkupRenderer struct { IsInputFile bool NeedPostProcess bool MarkupSanitizerRules []MarkupSanitizerRule - DisableSanitizer bool + RenderContentMode string } // MarkupSanitizerRule defines the policy for whitelisting attributes on @@ -144,13 +150,28 @@ func newMarkupRenderer(name string, sec *ini.Section) { return } + if sec.HasKey("DISABLE_SANITIZER") { + log.Error("Deprecated setting `[markup.*]` `DISABLE_SANITIZER` present. This fallback will be removed in v1.18.0") + } + + renderContentMode := sec.Key("RENDER_CONTENT_MODE").MustString(RenderContentModeSanitized) + if !sec.HasKey("RENDER_CONTENT_MODE") && sec.Key("DISABLE_SANITIZER").MustBool(false) { + renderContentMode = RenderContentModeNoSanitizer // if only the legacy DISABLE_SANITIZER exists, use it + } + if renderContentMode != RenderContentModeSanitized && + renderContentMode != RenderContentModeNoSanitizer && + renderContentMode != RenderContentModeIframe { + log.Error("invalid RENDER_CONTENT_MODE: %q, default to %q", renderContentMode, RenderContentModeSanitized) + renderContentMode = RenderContentModeSanitized + } + ExternalMarkupRenderers = append(ExternalMarkupRenderers, &MarkupRenderer{ - Enabled: sec.Key("ENABLED").MustBool(false), - MarkupName: name, - FileExtensions: exts, - Command: command, - IsInputFile: sec.Key("IS_INPUT_FILE").MustBool(false), - NeedPostProcess: sec.Key("NEED_POSTPROCESS").MustBool(true), - DisableSanitizer: sec.Key("DISABLE_SANITIZER").MustBool(false), + Enabled: sec.Key("ENABLED").MustBool(false), + MarkupName: name, + FileExtensions: exts, + Command: command, + IsInputFile: sec.Key("IS_INPUT_FILE").MustBool(false), + NeedPostProcess: sec.Key("NEED_POSTPROCESS").MustBool(true), + RenderContentMode: renderContentMode, }) } |