From ee7df7ba8c5e6a4b32b0c4048d2b535d8df3cbe9 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Sat, 7 Dec 2019 14:49:04 -0500 Subject: Markdown: Sanitizier Configuration (#9075) * Support custom sanitization policy Allowing the gitea administrator to configure sanitization policy allows them to couple external renders and custom templates to support more markup. In particular, the `pandoc` renderer allows generating KaTeX annotations, wrapping them in `` elements with class `math` and either `inline` or `display` (depending on whether or not inline or block mode was requested). This iteration gives the administrator whitelisting powers; carefully crafted regexes will thus let through only the desired attributes necessary to support their custom markup. Resolves: #9054 Signed-off-by: Alexander Scheel * Document new sanitization configuration - Adds basic documentation to app.ini.sample, - Adds an example to the Configuration Cheat Sheet, and - Adds extended information to External Renderers section. Signed-off-by: Alexander Scheel * Drop extraneous length check in newMarkupSanitizer(...) Signed-off-by: Alexander Scheel * Fix plural ELEMENT and ALLOW_ATTR in docs These were left over from their initial names. Make them singular to conform with the current expectations. Signed-off-by: Alexander Scheel --- custom/conf/app.ini.sample | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'custom') diff --git a/custom/conf/app.ini.sample b/custom/conf/app.ini.sample index 8d11cfc293..050a0db730 100644 --- a/custom/conf/app.ini.sample +++ b/custom/conf/app.ini.sample @@ -877,6 +877,12 @@ SHOW_FOOTER_VERSION = true ; Show template execution time in the footer SHOW_FOOTER_TEMPLATE_LOAD_TIME = true +[markup.sanitizer] +; The following keys can be used multiple times to define sanitation policy rules. +;ELEMENT = span +;ALLOW_ATTR = class +;REGEXP = ^(info|warning|error)$ + [markup.asciidoc] ENABLED = false ; List of file extensions that should be rendered by an external command -- cgit v1.2.3