From 04196b7658d70a1dee22a25aeb26e3d1587c316f Mon Sep 17 00:00:00 2001 From: zeripath Date: Mon, 5 Apr 2021 22:38:31 +0100 Subject: Update to bluemonday-1.0.6 (#15294) Signed-off-by: Andrew Thornton --- modules/markup/sanitizer.go | 4 +++- modules/markup/sanitizer_test.go | 12 ++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/markup/sanitizer.go b/modules/markup/sanitizer.go index 19feaa3cce..9f336d8330 100644 --- a/modules/markup/sanitizer.go +++ b/modules/markup/sanitizer.go @@ -46,7 +46,9 @@ func ReplaceSanitizer() { sanitizer.policy.AllowAttrs("checked", "disabled").OnElements("input") // Custom URL-Schemes - sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) + if len(setting.Markdown.CustomURLSchemes) > 0 { + sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) + } // Allow keyword markup sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^` + keywordClass + `$`)).OnElements("span") diff --git a/modules/markup/sanitizer_test.go b/modules/markup/sanitizer_test.go index 63b70166d8..9e173015d6 100644 --- a/modules/markup/sanitizer_test.go +++ b/modules/markup/sanitizer_test.go @@ -6,6 +6,8 @@ package markup import ( + "html/template" + "strings" "testing" "github.com/stretchr/testify/assert" @@ -50,3 +52,13 @@ func Test_Sanitizer(t *testing.T) { assert.Equal(t, testCases[i+1], string(SanitizeBytes([]byte(testCases[i])))) } } + +func TestSanitizeNonEscape(t *testing.T) { + descStr := "<script>alert(document.domain)</script>" + + output := template.HTML(Sanitize(string(descStr))) + if strings.Contains(string(output), "