summaryrefslogtreecommitdiffstats
path: root/modules/markup/sanitizer.go
Commit message (Collapse)AuthorAgeFilesLines
* Add loading spinners and mermaid error handling (#12358)silverwind2020-08-041-0/+1
| | | | | - Add loading spinners on editor and mermaid renderers - Add error handling and inline error box for mermaid - Fix Mermaid rendering by using the .init api
* Server-side syntax highlighting for all code (#12047)mrsdizzie2020-07-011-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Server-side syntax hilighting for all code This PR does a few things: * Remove all traces of highlight.js * Use chroma library to provide fast syntax hilighting directly on the server * Provide syntax hilighting for diffs * Re-style both unified and split diffs views * Add custom syntax hilighting styling for both regular and arc-green Fixes #7729 Fixes #10157 Fixes #11825 Fixes #7728 Fixes #3872 Fixes #3682 And perhaps gets closer to #9553 * fix line marker * fix repo search * Fix single line select * properly load settings * npm uninstall highlight.js * review suggestion * code review * forgot to call function * fix test * Apply suggestions from code review suggestions from @silverwind thanks Co-authored-by: silverwind <me@silverwind.io> * code review * copy/paste error * Use const for highlight size limit * Update web_src/less/_repository.less Co-authored-by: Lauris BH <lauris@nix.lv> * update size limit to 1MB and other styling tweaks * fix highlighting for certain diff sections * fix test * add worker back as suggested Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Lauris BH <lauris@nix.lv>
* Prevent 500 with badly formed task list (#11328)zeripath2020-05-111-1/+1
| | | | | Fix #11317 Signed-off-by: Andrew Thornton <art27@cantab.net>
* Restore checkbox rendering and prevent poor sanitization of spans (#11277)zeripath2020-05-031-2/+3
| | | | | | | | | | | | | | | | | * Add test Signed-off-by: Andrew Thornton <art27@cantab.net> * Restore checkbox rendering and prevent poor sanitization of spans Signed-off-by: Andrew Thornton <art27@cantab.net> * Also fix preview context Signed-off-by: Andrew Thornton <art27@cantab.net> * Also fix preview context Signed-off-by: Andrew Thornton <art27@cantab.net>
* Support unicode emojis and remove emojify.js (#11032)mrsdizzie2020-04-281-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Support unicode emojis and remove emojify.js This PR replaces all use of emojify.js and adds unicode emoji support to various areas of gitea. This works in a few ways: First it adds emoji parsing support into gitea itself. This allows us to * Render emojis from valid alias (:smile:) * Detect unicode emojis and let us put them in their own class with proper aria-labels and styling * Easily allow for custom "emoji" * Support all emoji rendering and features without javascript * Uses plain unicode and lets the system render in appropriate emoji font * Doesn't leave us relying on external sources for updates/fixes/features That same list of emoji is also used to create a json file which replaces the part of emojify.js that populates the emoji search tribute. This file is about 35KB with GZIP turned on and I've set it to load after the page renders to not hinder page load time (and this removes loading emojify.js also) For custom "emoji" it uses a pretty simple scheme of just looking for /emojis/img/name.png where name is something a user has put in the "allowed reactions" setting we already have. The gitea reaction that was previously hard coded into a forked copy of emojify.js is included and works as a custom reaction under this method. The emoji data sourced here is from https://github.com/github/gemoji which is the gem library Github uses for their emoji rendering (and a data source for other sites). So we should be able to easily render any emoji and :alias: that Github can, removing any errors from migrated content. They also update it as well, so we can sync when there are new unicode emoji lists released. I've included a slimmed down and slightly modified forked copy of https://github.com/knq/emoji to make up our own emoji module. The code is pretty straight forward and again allows us to have a lot of flexibility in what happens. I had seen a few comments about performance in some of the other threads if we render this ourselves, but there doesn't seem to be any issue here. In a test it can parse, convert, and render 1,000 emojis inside of a large markdown table in about 100ms on my laptop (which is many more emojis than will ever be in any normal issue). This also prevents any flickering and other weirdness from using javascript to render some things while using go for others. Not included here are image fall back URLS. I don't really think they are necessary for anything new being written in 2020. However, managing the emoji ourselves would allow us to add these as a feature later on if it seems necessary. Fixes: https://github.com/go-gitea/gitea/issues/9182 Fixes: https://github.com/go-gitea/gitea/issues/8974 Fixes: https://github.com/go-gitea/gitea/issues/8953 Fixes: https://github.com/go-gitea/gitea/issues/6628 Fixes: https://github.com/go-gitea/gitea/issues/5130 * add new shared function emojiHTML * don't increase emoji size in issue title * Update templates/repo/issue/view_content/add_reaction.tmpl Co-Authored-By: 6543 <6543@obermui.de> * Support for emoji rendering in various templates * Render code and review comments as they should be * Better way to handle mail subjects * insert unicode from tribute selection * Add template helper for plain text when needed * Use existing replace function I forgot about * Don't include emoji greater than Unicode Version 12 Only include emoji and aliases in JSON * Update build/generate-emoji.go * Tweak regex slightly to really match everything including random invisible characters. Run tests for every emoji we have * final updates * code review * code review * hard code gitea custom emoji to match previous behavior * Update .eslintrc Co-Authored-By: silverwind <me@silverwind.io> * disable preempt Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lauris BH <lauris@nix.lv> Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com>
* Make TaskCheckBox render correctly (#11214)zeripath2020-04-261-2/+6
| | | | | | | | | | | | | | | * Fix checkbox rendering Signed-off-by: Andrew Thornton <art27@cantab.net> * Normalize checkbox rendering Signed-off-by: Andrew Thornton <art27@cantab.net> * set the checkboxes to readonly instead of disabled Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lauris BH <lauris@nix.lv>
* Use markdown frontmatter to provide Table of contents, language and ↵zeripath2020-04-241-0/+3
| | | | | | | | | frontmatter rendering (#11047) * Add control for the rendering of the frontmatter * Add control to include a TOC * Add control to set language - allows control of ToC header and CJK glyph choice. Signed-off-by: Andrew Thornton art27@cantab.net
* Fix task-list checkbox styling (#10668)Alexander Scheel2020-03-081-0/+3
| | | | | | | | | | | | | | | | | | | | | * Fix task-list checkbox styling The pandoc renderer will append the class "task-list" to the ul element wrapping a li with one or more check-boxes. This allows us to select for them, removing their list-style-type property. However, goldmark and the gfm spec doesn't specify the "task-list" class name, so we can't use that to fix the issue there. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Update to goldmark v1.1.25 This version adds the missing space after a checkbox. Resolves: #9656 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
* Relax sanitization as per https://github.com/jch/html-pipeline (#10527)zeripath2020-02-281-3/+35
| | | | | | | Looking at github/markup#245 it is clear that GH uses https://github.com/jch/html-pipeline to sanitize. This PR relaxes our sanitization to more closely match this. Fixes #10471 and likely others...
* Issue/PR Context Popups (#9822)John Olheiser2020-01-191-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Add data-index attribute to issue anchors Signed-off-by: jolheiser <john.olheiser@gmail.com> * Init JS Signed-off-by: jolheiser <john.olheiser@gmail.com> * Add required data to anchor Signed-off-by: jolheiser <john.olheiser@gmail.com> * Finish popup Signed-off-by: jolheiser <john.olheiser@gmail.com> * Revert changes to html.go Signed-off-by: jolheiser <john.olheiser@gmail.com> * Better octicon contexts Signed-off-by: jolheiser <john.olheiser@gmail.com> * Split out popup function for re-use Signed-off-by: jolheiser <john.olheiser@gmail.com> * Style changes, test fixes, and cross-reference support Signed-off-by: jolheiser <john.olheiser@gmail.com> * Prefer em to px Signed-off-by: jolheiser <john.olheiser@gmail.com> * Move label margin to base CSS Signed-off-by: jolheiser <john.olheiser@gmail.com> * Move JS to separate file. Signed-off-by: jolheiser <john.olheiser@gmail.com> * Move JS to features and fix module Signed-off-by: jolheiser <john.olheiser@gmail.com> * Remove query-string and hash Co-Authored-By: silverwind <me@silverwind.io> Co-authored-by: Lauris BH <lauris@nix.lv> Co-authored-by: Antoine GIRARD <sapk@users.noreply.github.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
* Allow hyphen in language name (#9873)zeripath2020-01-191-1/+1
|
* Change markdown rendering from blackfriday to goldmark (#9533)zeripath2019-12-311-0/+8
| | | | | | | | | | | | | | | | | | | * Move to goldmark Markdown rendering moved from blackfriday to the goldmark. Multiple subtle changes required to the goldmark extensions to keep current rendering and defaults. Can go further with goldmark linkify and have this work within markdown rendering making the link processor unnecessary. Need to think about how to go about allowing extensions - at present it seems that these would be hard to do without recompilation. * linter fixes Co-authored-by: Lauris BH <lauris@nix.lv>
* Markdown: Sanitizier Configuration (#9075)Alexander Scheel2019-12-071-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Support custom sanitization policy Allowing the gitea administrator to configure sanitization policy allows them to couple external renders and custom templates to support more markup. In particular, the `pandoc` renderer allows generating KaTeX annotations, wrapping them in `<span>` elements with class `math` and either `inline` or `display` (depending on whether or not inline or block mode was requested). This iteration gives the administrator whitelisting powers; carefully crafted regexes will thus let through only the desired attributes necessary to support their custom markup. Resolves: #9054 Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Document new sanitization configuration - Adds basic documentation to app.ini.sample, - Adds an example to the Configuration Cheat Sheet, and - Adds extended information to External Renderers section. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Drop extraneous length check in newMarkupSanitizer(...) Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com> * Fix plural ELEMENT and ALLOW_ATTR in docs These were left over from their initial names. Make them singular to conform with the current expectations. Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
* Allow kbd tags (#9245)John Olheiser2019-12-031-0/+3
| | | | | | | | | | * Allow kbd tags Signed-off-by: jolheiser <john.olheiser@gmail.com> * Add test Signed-off-by: jolheiser <john.olheiser@gmail.com>
* Fix race condition in ReplaceSanitizer (#9123)zeripath2019-11-221-1/+0
|
* Support inline rendering of CUSTOM_URL_SCHEMES (#8496)guillep2k2019-10-151-11/+17
| | | | | | | | | | * Support inline rendering of CUSTOM_URL_SCHEMES * Fix lint * Add tests * Fix lint
* Rewrite reference processing code in preparation for opening/closing from ↵guillep2k2019-10-131-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | comment references (#8261) * Add a markdown stripper for mentions and xrefs * Improve comments * Small code simplification * Move reference code to modules/references * Fix typo * Make MarkdownStripper return [][]byte * Implement preliminary keywords parsing * Add FIXME comment * Fix comment * make fmt * Fix permissions check * Fix text assumptions * Fix imports * Fix lint, fmt * Fix unused import * Add missing export comment * Bypass revive on implemented interface * Move mdstripper into its own package * Support alphanumeric patterns * Refactor FindAllMentions * Move mentions test to references * Parse mentions from reference package * Refactor code to implement renderizable references * Fix typo * Move patterns and tests to the references package * Fix nil reference * Preliminary rendering attempt of closing keywords * Normalize names, comments, general tidy-up * Add CSS style for action keywords * Fix permission for admin and owner * Fix golangci-lint * Fix golangci-lint
* Restructure markup & markdown to prepare for multiple markup language… (#2411)Lunny Xiao2017-09-161-0/+58
* restructure markup & markdown to prepare for multiple markup languages support * adjust some functions between markdown and markup * fix tests * improve the comments