From ee7df7ba8c5e6a4b32b0c4048d2b535d8df3cbe9 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Sat, 7 Dec 2019 14:49:04 -0500 Subject: Markdown: Sanitizier Configuration (#9075) * Support custom sanitization policy Allowing the gitea administrator to configure sanitization policy allows them to couple external renders and custom templates to support more markup. In particular, the `pandoc` renderer allows generating KaTeX annotations, wrapping them in `` elements with class `math` and either `inline` or `display` (depending on whether or not inline or block mode was requested). This iteration gives the administrator whitelisting powers; carefully crafted regexes will thus let through only the desired attributes necessary to support their custom markup. Resolves: #9054 Signed-off-by: Alexander Scheel * Document new sanitization configuration - Adds basic documentation to app.ini.sample, - Adds an example to the Configuration Cheat Sheet, and - Adds extended information to External Renderers section. Signed-off-by: Alexander Scheel * Drop extraneous length check in newMarkupSanitizer(...) Signed-off-by: Alexander Scheel * Fix plural ELEMENT and ALLOW_ATTR in docs These were left over from their initial names. Make them singular to conform with the current expectations. Signed-off-by: Alexander Scheel --- modules/markup/sanitizer.go | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'modules/markup') diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go index 0ebb3ff88b..f7789a9e56 100644 --- a/modules/markup/sanitizer.go +++ b/modules/markup/sanitizer.go @@ -50,6 +50,15 @@ func ReplaceSanitizer() { // Allow tags for keyboard shortcut styling sanitizer.policy.AllowElements("kbd") + + // Custom keyword markup + for _, rule := range setting.ExternalSanitizerRules { + if rule.Regexp != nil { + sanitizer.policy.AllowAttrs(rule.AllowAttr).Matching(rule.Regexp).OnElements(rule.Element) + } else { + sanitizer.policy.AllowAttrs(rule.AllowAttr).OnElements(rule.Element) + } + } } // Sanitize takes a string that contains a HTML fragment or document and applies policy whitelist. -- cgit v1.2.3