diff options
| author | zeripath <art27@cantab.net> | 2021-04-05 22:38:31 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-04-05 17:38:31 -0400 |
| commit | 04196b7658d70a1dee22a25aeb26e3d1587c316f (patch) | |
| tree | 9095331975714251797154d069ca01ead6f60999 /modules | |
| parent | e10d028b039af5d63ef29f4c33fb04029da3d5a8 (diff) | |
| download | gitea-04196b7658d70a1dee22a25aeb26e3d1587c316f.tar.gz gitea-04196b7658d70a1dee22a25aeb26e3d1587c316f.zip | |
Update to bluemonday-1.0.6 (#15294)
Signed-off-by: Andrew Thornton <art27@cantab.net>
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/markup/sanitizer.go | 4 | ||||
| -rw-r--r-- | modules/markup/sanitizer_test.go | 12 |
2 files changed, 15 insertions, 1 deletions
diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go index 19feaa3cce..9f336d8330 100644 --- a/modules/markup/sanitizer.go +++ b/modules/markup/sanitizer.go @@ -46,7 +46,9 @@ func ReplaceSanitizer() { sanitizer.policy.AllowAttrs("checked", "disabled").OnElements("input") // Custom URL-Schemes - sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) + if len(setting.Markdown.CustomURLSchemes) > 0 { + sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) + } // Allow keyword markup sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^` + keywordClass + `$`)).OnElements("span") diff --git a/modules/markup/sanitizer_test.go b/modules/markup/sanitizer_test.go index 63b70166d8..9e173015d6 100644 --- a/modules/markup/sanitizer_test.go +++ b/modules/markup/sanitizer_test.go @@ -6,6 +6,8 @@ package markup import ( + "html/template" + "strings" "testing" "github.com/stretchr/testify/assert" @@ -50,3 +52,13 @@ func Test_Sanitizer(t *testing.T) { assert.Equal(t, testCases[i+1], string(SanitizeBytes([]byte(testCases[i])))) } } + +func TestSanitizeNonEscape(t *testing.T) { + descStr := "<scrİpt><script>alert(document.domain)</script></scrİpt>" + + output := template.HTML(Sanitize(string(descStr))) + if strings.Contains(string(output), "<script>") { + t.Errorf("un-escaped <script> in output: %q", output) + } + +} |