diff options
| author | Lunny Xiao <xiaolunwen@gmail.com> | 2022-06-16 11:33:23 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-16 11:33:23 +0800 |
| commit | b01dce2a6e98c25915a8e98afb741a1c34d05aba (patch) | |
| tree | b391ae8dff3ed5270b9721900bdc667b05fd555c /routers/web/repo/view.go | |
| parent | 7d1770cd714416bd80f114681d19e3076a0b0966 (diff) | |
| download | gitea-b01dce2a6e98c25915a8e98afb741a1c34d05aba.tar.gz gitea-b01dce2a6e98c25915a8e98afb741a1c34d05aba.zip | |
Allow render HTML with css/js external links (#19017)
* Allow render HTML with css/js external links
* Fix bug because of filename escape chars
* Fix lint
* Update docs about new configuration item
* Fix bug of render HTML in sub directory
* Add CSP head for displaying iframe in rendering file
* Fix test
* Apply suggestions from code review
Co-authored-by: delvh <dev.lh@web.de>
* Some improvements
* some improvement
* revert change in SanitizerDisabled of external renderer
* Add sandbox for iframe and support allow-scripts and allow-same-origin
* refactor
* fix
* fix lint
* fine tune
* use single option RENDER_CONTENT_MODE, use sandbox=allow-scripts
* fine tune CSP
* Apply suggestions from code review
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Diffstat (limited to 'routers/web/repo/view.go')
| -rw-r--r-- | routers/web/repo/view.go | 36 |
1 files changed, 20 insertions, 16 deletions
diff --git a/routers/web/repo/view.go b/routers/web/repo/view.go index 01bd2d8923..fe60cf44c7 100644 --- a/routers/web/repo/view.go +++ b/routers/web/repo/view.go @@ -356,11 +356,11 @@ func renderReadmeFile(ctx *context.Context, readmeFile *namedBlob, readmeTreelin ctx.Data["MarkupType"] = string(markupType) var result strings.Builder err := markup.Render(&markup.RenderContext{ - Ctx: ctx, - Filename: readmeFile.name, - URLPrefix: readmeTreelink, - Metas: ctx.Repo.Repository.ComposeDocumentMetas(), - GitRepo: ctx.Repo.GitRepo, + Ctx: ctx, + RelativePath: ctx.Repo.TreePath, + URLPrefix: readmeTreelink, + Metas: ctx.Repo.Repository.ComposeDocumentMetas(), + GitRepo: ctx.Repo.GitRepo, }, rd, &result) if err != nil { log.Error("Render failed: %v then fallback", err) @@ -528,18 +528,22 @@ func renderFile(ctx *context.Context, entry *git.TreeEntry, treeLink, rawLink st if !detected { markupType = "" } + metas := ctx.Repo.Repository.ComposeDocumentMetas() + metas["BranchNameSubURL"] = ctx.Repo.BranchNameSubURL() err := markup.Render(&markup.RenderContext{ - Ctx: ctx, - Type: markupType, - Filename: blob.Name(), - URLPrefix: path.Dir(treeLink), - Metas: ctx.Repo.Repository.ComposeDocumentMetas(), - GitRepo: ctx.Repo.GitRepo, + Ctx: ctx, + Type: markupType, + RelativePath: ctx.Repo.TreePath, + URLPrefix: path.Dir(treeLink), + Metas: metas, + GitRepo: ctx.Repo.GitRepo, }, rd, &result) if err != nil { ctx.ServerError("Render", err) return } + // to prevent iframe load third-party url + ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'") ctx.Data["EscapeStatus"], ctx.Data["FileContent"] = charset.EscapeControlString(result.String()) } else if readmeExist && !shouldRenderSource { buf := &bytes.Buffer{} @@ -627,11 +631,11 @@ func renderFile(ctx *context.Context, entry *git.TreeEntry, treeLink, rawLink st ctx.Data["MarkupType"] = markupType var result strings.Builder err := markup.Render(&markup.RenderContext{ - Ctx: ctx, - Filename: blob.Name(), - URLPrefix: path.Dir(treeLink), - Metas: ctx.Repo.Repository.ComposeDocumentMetas(), - GitRepo: ctx.Repo.GitRepo, + Ctx: ctx, + RelativePath: ctx.Repo.TreePath, + URLPrefix: path.Dir(treeLink), + Metas: ctx.Repo.Repository.ComposeDocumentMetas(), + GitRepo: ctx.Repo.GitRepo, }, rd, &result) if err != nil { ctx.ServerError("Render", err) |