diff options
Diffstat (limited to 'modules/base/tool.go')
| -rw-r--r-- | modules/base/tool.go | 30 |
1 files changed, 3 insertions, 27 deletions
diff --git a/modules/base/tool.go b/modules/base/tool.go index ff5a4f4cd9..5043364cec 100644 --- a/modules/base/tool.go +++ b/modules/base/tool.go @@ -15,17 +15,19 @@ import ( "hash" "html/template" "math" - "regexp" "strings" "time" "github.com/Unknwon/com" "github.com/Unknwon/i18n" + "github.com/microcosm-cc/bluemonday" "github.com/gogits/gogs/modules/avatar" "github.com/gogits/gogs/modules/setting" ) +var Sanitizer = bluemonday.UGCPolicy() + // Encode string to md5 hex value. func EncodeMd5(str string) string { m := md5.New() @@ -473,29 +475,3 @@ func DateFormat(t time.Time, format string) string { format = replacer.Replace(format) return t.Format(format) } - -type xssFilter struct { - reg *regexp.Regexp - repl []byte -} - -var ( - whiteSpace = []byte(" ") - xssFilters = []xssFilter{ - {regexp.MustCompile(`\ [ONon]\w*=["]*`), whiteSpace}, - {regexp.MustCompile(`<[SCRIPTscript]{6}`), whiteSpace}, - {regexp.MustCompile(`=[` + "`" + `'"]*[JAVASCRIPTjavascript \t\0
]*:`), whiteSpace}, - } -) - -// XSS goes through all the XSS filters to make user input content as safe as possible. -func XSS(in []byte) []byte { - for _, filter := range xssFilters { - in = filter.reg.ReplaceAll(in, filter.repl) - } - return in -} - -func XSSString(in string) string { - return string(XSS([]byte(in))) -} |