From a09b40de8d1dae7107437cfba42cee201fcd6d42 Mon Sep 17 00:00:00 2001 From: KN4CK3R <admin@oldschoolhack.me> Date: Fri, 19 Nov 2021 11:46:47 +0100 Subject: Prevent double sanitize (#16386) * Prevent double sanitize. * Use SanitizeReaderToWriter. At the moment `actualRender` uses `SanitizeReader` to sanitize the output. But `SanitizeReader` gets called in `markup.render` too so the output gets sanitized twice. I moved the `SanitizeReader` call into `RenderRaw` because this method does not use `markup.render`. I would like to remove the `RenderRaw`/`RenderRawString` methods too because they are only called from tests, the fuzzer and the `/markup/raw` api endpoint. This endpoint is not in use so I think we could remove them. If we really in the future need a method to render markdown without PostProcessing we could achieve this with a more flexible `renderer.NeedPostProcess` method. --- modules/markup/sanitizer.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'modules/markup/sanitizer.go') diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go index 5ff26a3109..92dd19f0a1 100644 --- a/modules/markup/sanitizer.go +++ b/modules/markup/sanitizer.go @@ -6,7 +6,6 @@ package markup import ( - "bytes" "io" "regexp" "sync" @@ -149,11 +148,11 @@ func Sanitize(s string) string { } // SanitizeReader sanitizes a Reader -func SanitizeReader(r io.Reader, renderer string) *bytes.Buffer { +func SanitizeReader(r io.Reader, renderer string, w io.Writer) error { NewSanitizer() policy, exist := sanitizer.rendererPolicies[renderer] if !exist { policy = sanitizer.defaultPolicy } - return policy.SanitizeReader(r) + return policy.SanitizeReaderToWriter(r, w) } -- cgit v1.2.3