From 1bf9e44bda5c8cd1fd72622cffce8ec291db79c5 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 29 Apr 2020 07:34:59 -0400 Subject: Fix sanitizer config - multiple rules (#11133) In #9888, it was reported that my earlier pull request #9075 didn't quite function as expected. I was quite hopeful the `ValuesWithShadow()` worked as expected (and, I thought my testing showed it did) but I guess not. @zeripath proposed an alternative syntax which I like: ```ini [markup.sanitizer.1] ELEMENT=a ALLOW_ATTR=target REGEXP=something [markup.sanitizer.2] ELEMENT=a ALLOW_ATTR=target REGEXP=something ``` This was quite easy to adopt into the existing code. I've done so in a semi-backwards-compatible manner: - The value from `.Value()` is used for each element. - We parse `[markup.sanitizer]` and all `[markup.sanitizer.*]` sections and add them as rules. This means that existing configs will load one rule (not all rules). It also means people can use string identifiers (`[markup.sanitiser.KaTeX]`) if they prefer, instead of numbered ones. Co-authored-by: Andrew Thornton Co-authored-by: guillep2k <18600385+guillep2k@users.noreply.github.com> --- custom/conf/app.ini.sample | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'custom') diff --git a/custom/conf/app.ini.sample b/custom/conf/app.ini.sample index 646274c766..8900a58342 100644 --- a/custom/conf/app.ini.sample +++ b/custom/conf/app.ini.sample @@ -976,8 +976,10 @@ SHOW_FOOTER_VERSION = true ; Show template execution time in the footer SHOW_FOOTER_TEMPLATE_LOAD_TIME = true -[markup.sanitizer] -; The following keys can be used multiple times to define sanitation policy rules. +[markup.sanitizer.1] +; The following keys can appear once to define a sanitation policy rule. +; This section can appear multiple times by adding a unique alphanumeric suffix to define multiple rules. +; e.g., [markup.sanitizer.1] -> [markup.sanitizer.2] -> [markup.sanitizer.TeX] ;ELEMENT = span ;ALLOW_ATTR = class ;REGEXP = ^(info|warning|error)$ -- cgit v1.2.3