diff options
| author | wxiaoguang <wxiaoguang@gmail.com> | 2024-03-01 18:16:19 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-03-01 10:16:19 +0000 |
| commit | fb42972c057364a1dc99dfb528554e7a94415be7 (patch) | |
| tree | 162d9e043c62df788f438ae2bb65983e301f8517 /modules | |
| parent | cb52b17f92e2d2293f7c003649743464492bca48 (diff) | |
| download | gitea-fb42972c057364a1dc99dfb528554e7a94415be7.tar.gz gitea-fb42972c057364a1dc99dfb528554e7a94415be7.zip | |
Rename Str2html to SanitizeHTML and clarify its behavior (#29516)
Str2html was abused a lot. So use a proper name for it: SanitizeHTML
And add some tests to show its behavior.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/templates/helper.go | 24 | ||||
| -rw-r--r-- | modules/templates/helper_test.go | 5 |
2 files changed, 17 insertions, 12 deletions
diff --git a/modules/templates/helper.go b/modules/templates/helper.go index 0f39767586..1487fce69d 100644 --- a/modules/templates/helper.go +++ b/modules/templates/helper.go @@ -33,16 +33,16 @@ func NewFuncMap() template.FuncMap { // ----------------------------------------------------------------- // html/template related functions - "dict": dict, // it's lowercase because this name has been widely used. Our other functions should have uppercase names. - "Eval": Eval, - "SafeHTML": SafeHTML, - "HTMLFormat": HTMLFormat, - "HTMLEscape": HTMLEscape, - "QueryEscape": url.QueryEscape, - "JSEscape": JSEscapeSafe, - "Str2html": Str2html, // TODO: rename it to SanitizeHTML - "URLJoin": util.URLJoin, - "DotEscape": DotEscape, + "dict": dict, // it's lowercase because this name has been widely used. Our other functions should have uppercase names. + "Eval": Eval, + "SafeHTML": SafeHTML, + "HTMLFormat": HTMLFormat, + "HTMLEscape": HTMLEscape, + "QueryEscape": url.QueryEscape, + "JSEscape": JSEscapeSafe, + "SanitizeHTML": SanitizeHTML, + "URLJoin": util.URLJoin, + "DotEscape": DotEscape, "PathEscape": url.PathEscape, "PathEscapeSegments": util.PathEscapeSegments, @@ -207,8 +207,8 @@ func SafeHTML(s any) template.HTML { panic(fmt.Sprintf("unexpected type %T", s)) } -// Str2html sanitizes the input by pre-defined markdown rules -func Str2html(s any) template.HTML { +// SanitizeHTML sanitizes the input by pre-defined markdown rules +func SanitizeHTML(s any) template.HTML { switch v := s.(type) { case string: return template.HTML(markup.Sanitize(v)) diff --git a/modules/templates/helper_test.go b/modules/templates/helper_test.go index 8f5d633d4f..3365278ac2 100644 --- a/modules/templates/helper_test.go +++ b/modules/templates/helper_test.go @@ -61,3 +61,8 @@ func TestJSEscapeSafe(t *testing.T) { func TestHTMLFormat(t *testing.T) { assert.Equal(t, template.HTML("<a>< < 1</a>"), HTMLFormat("<a>%s %s %d</a>", "<", template.HTML("<"), 1)) } + +func TestSanitizeHTML(t *testing.T) { + assert.Equal(t, template.HTML(`<a href="/" rel="nofollow">link</a> xss <div>inline</div>`), SanitizeHTML(`<a href="/">link</a> <a href="javascript:">xss</a> <div style="dangerous">inline</div>`)) + assert.Equal(t, template.HTML(`<a href="/" rel="nofollow">link</a> xss <div>inline</div>`), SanitizeHTML(template.HTML(`<a href="/">link</a> <a href="javascript:">xss</a> <div style="dangerous">inline</div>`))) +} |