Security: prevent XSS attach on wiki page

Reported by Miguel Ángel Jimeno.
author: Unknwon <u@gogs.io> 2017-02-15 18:05:02 -0500
committer: Kim "BKC" Carlbäcker <kim.carlbacker@gmail.com> 2017-02-16 04:06:20 +0100
commit: 134f3e6e09ed0583bc377a08ef46a51013635a2e (patch)
tree: 0226e2d5ecd4bdb2ff8701d216f82fc960d90ae7 /modules
parent: 43c94d0a6cd8daf01125df3bf895f1beb1bcd664 (diff)
download: gitea-134f3e6e09ed0583bc377a08ef46a51013635a2e.tar.gz
gitea-134f3e6e09ed0583bc377a08ef46a51013635a2e.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/modules/templates/helper.go b/modules/templates/helper.go
index 0c56ae0e0a..b03128a0b1 100644
--- a/modules/templates/helper.go
+++ b/modules/templates/helper.go
@@ -15,6 +15,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/microcosm-cc/bluemonday"
 	"golang.org/x/net/html/charset"
 	"golang.org/x/text/transform"
 	"gopkg.in/editorconfig/editorconfig-core-go.v1"
@@ -61,6 +62,7 @@ func NewFuncMap() []template.FuncMap {
 		},
 		"AvatarLink":   base.AvatarLink,
 		"Safe":         Safe,
+		"Sanitize":     bluemonday.UGCPolicy().Sanitize,
 		"Str2html":     Str2html,
 		"TimeSince":    base.TimeSince,
 		"RawTimeSince": base.RawTimeSince,
author	Unknwon <u@gogs.io>	2017-02-15 18:05:02 -0500
committer	Kim "BKC" Carlbäcker <kim.carlbacker@gmail.com>	2017-02-16 04:06:20 +0100
commit	134f3e6e09ed0583bc377a08ef46a51013635a2e (patch)
tree	0226e2d5ecd4bdb2ff8701d216f82fc960d90ae7 /modules
parent	43c94d0a6cd8daf01125df3bf895f1beb1bcd664 (diff)
download	gitea-134f3e6e09ed0583bc377a08ef46a51013635a2e.tar.gz gitea-134f3e6e09ed0583bc377a08ef46a51013635a2e.zip