From b01dce2a6e98c25915a8e98afb741a1c34d05aba Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Thu, 16 Jun 2022 11:33:23 +0800 Subject: Allow render HTML with css/js external links (#19017) * Allow render HTML with css/js external links * Fix bug because of filename escape chars * Fix lint * Update docs about new configuration item * Fix bug of render HTML in sub directory * Add CSP head for displaying iframe in rendering file * Fix test * Apply suggestions from code review Co-authored-by: delvh * Some improvements * some improvement * revert change in SanitizerDisabled of external renderer * Add sandbox for iframe and support allow-scripts and allow-same-origin * refactor * fix * fix lint * fine tune * use single option RENDER_CONTENT_MODE, use sandbox=allow-scripts * fine tune CSP * Apply suggestions from code review Co-authored-by: wxiaoguang Co-authored-by: delvh Co-authored-by: wxiaoguang --- routers/web/repo/view.go | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) (limited to 'routers/web/repo/view.go') diff --git a/routers/web/repo/view.go b/routers/web/repo/view.go index 01bd2d8923..fe60cf44c7 100644 --- a/routers/web/repo/view.go +++ b/routers/web/repo/view.go @@ -356,11 +356,11 @@ func renderReadmeFile(ctx *context.Context, readmeFile *namedBlob, readmeTreelin ctx.Data["MarkupType"] = string(markupType) var result strings.Builder err := markup.Render(&markup.RenderContext{ - Ctx: ctx, - Filename: readmeFile.name, - URLPrefix: readmeTreelink, - Metas: ctx.Repo.Repository.ComposeDocumentMetas(), - GitRepo: ctx.Repo.GitRepo, + Ctx: ctx, + RelativePath: ctx.Repo.TreePath, + URLPrefix: readmeTreelink, + Metas: ctx.Repo.Repository.ComposeDocumentMetas(), + GitRepo: ctx.Repo.GitRepo, }, rd, &result) if err != nil { log.Error("Render failed: %v then fallback", err) @@ -528,18 +528,22 @@ func renderFile(ctx *context.Context, entry *git.TreeEntry, treeLink, rawLink st if !detected { markupType = "" } + metas := ctx.Repo.Repository.ComposeDocumentMetas() + metas["BranchNameSubURL"] = ctx.Repo.BranchNameSubURL() err := markup.Render(&markup.RenderContext{ - Ctx: ctx, - Type: markupType, - Filename: blob.Name(), - URLPrefix: path.Dir(treeLink), - Metas: ctx.Repo.Repository.ComposeDocumentMetas(), - GitRepo: ctx.Repo.GitRepo, + Ctx: ctx, + Type: markupType, + RelativePath: ctx.Repo.TreePath, + URLPrefix: path.Dir(treeLink), + Metas: metas, + GitRepo: ctx.Repo.GitRepo, }, rd, &result) if err != nil { ctx.ServerError("Render", err) return } + // to prevent iframe load third-party url + ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'") ctx.Data["EscapeStatus"], ctx.Data["FileContent"] = charset.EscapeControlString(result.String()) } else if readmeExist && !shouldRenderSource { buf := &bytes.Buffer{} @@ -627,11 +631,11 @@ func renderFile(ctx *context.Context, entry *git.TreeEntry, treeLink, rawLink st ctx.Data["MarkupType"] = markupType var result strings.Builder err := markup.Render(&markup.RenderContext{ - Ctx: ctx, - Filename: blob.Name(), - URLPrefix: path.Dir(treeLink), - Metas: ctx.Repo.Repository.ComposeDocumentMetas(), - GitRepo: ctx.Repo.GitRepo, + Ctx: ctx, + RelativePath: ctx.Repo.TreePath, + URLPrefix: path.Dir(treeLink), + Metas: ctx.Repo.Repository.ComposeDocumentMetas(), + GitRepo: ctx.Repo.GitRepo, }, rd, &result) if err != nil { ctx.ServerError("Render", err) -- cgit v1.2.3