* "mail/issue/default.tmpl": the body is rendered by backend `markdown.RenderString() HTML`, it has been already sanitized * "repo/settings/webhook/base_list.tmpl": "Description" is prepared by backend `ctx.Tr`, it doesn't need to be sanitizedtags/v1.22.0-rc0
@@ -224,7 +224,7 @@ Please check [Gitea's logs](administration/logging-config.md) for error messages | |||
{{if not (eq .Body "")}} | |||
<h3>Message content</h3> | |||
<hr> | |||
{{.Body | SanitizeHTML}} | |||
{{.Body}} | |||
{{end}} | |||
</p> | |||
<hr> |
@@ -207,7 +207,7 @@ _主题_ 和 _邮件正文_ 由 [Golang的模板引擎](https://go.dev/pkg/text/ | |||
{{if not (eq .Body "")}} | |||
<h3>消息内容:</h3> | |||
<hr> | |||
{{.Body | SanitizeHTML}} | |||
{{.Body}} | |||
{{end}} | |||
</p> | |||
<hr> |
@@ -208,14 +208,8 @@ func SafeHTML(s any) template.HTML { | |||
} | |||
// SanitizeHTML sanitizes the input by pre-defined markdown rules | |||
func SanitizeHTML(s any) template.HTML { | |||
switch v := s.(type) { | |||
case string: | |||
return template.HTML(markup.Sanitize(v)) | |||
case template.HTML: | |||
return template.HTML(markup.Sanitize(string(v))) | |||
} | |||
panic(fmt.Sprintf("unexpected type %T", s)) | |||
func SanitizeHTML(s string) template.HTML { | |||
return template.HTML(markup.Sanitize(s)) | |||
} | |||
func HTMLEscape(s any) template.HTML { |
@@ -64,5 +64,4 @@ func TestHTMLFormat(t *testing.T) { | |||
func TestSanitizeHTML(t *testing.T) { | |||
assert.Equal(t, template.HTML(`<a href="/" rel="nofollow">link</a> xss <div>inline</div>`), SanitizeHTML(`<a href="/">link</a> <a href="javascript:">xss</a> <div style="dangerous">inline</div>`)) | |||
assert.Equal(t, template.HTML(`<a href="/" rel="nofollow">link</a> xss <div>inline</div>`), SanitizeHTML(template.HTML(`<a href="/">link</a> <a href="javascript:">xss</a> <div style="dangerous">inline</div>`))) | |||
} |
@@ -58,7 +58,7 @@ | |||
{{.locale.Tr "mail.issue.action.new" .Doer.Name .Issue.Index}} | |||
{{end}} | |||
{{else}} | |||
{{.Body | SanitizeHTML}} | |||
{{.Body}} | |||
{{end -}} | |||
{{- range .ReviewComments}} | |||
<hr> |
@@ -10,7 +10,7 @@ | |||
<div class="ui attached segment"> | |||
<div class="ui list"> | |||
<div class="item"> | |||
{{.Description | SanitizeHTML}} | |||
{{.Description}} | |||
</div> | |||
{{range .Webhooks}} | |||
<div class="item truncated-item-container"> |
@@ -1,5 +1,5 @@ | |||
{{/* This page should only depend the minimal template functions/variables, to avoid triggering new panics. | |||
* base template functions: AppName, AssetUrlPrefix, AssetVersion, AppSubUrl, ThemeName, SanitizeHTML | |||
* base template functions: AppName, AssetUrlPrefix, AssetVersion, AppSubUrl, ThemeName | |||
* ctx.Locale | |||
* .Flash | |||
* .ErrorMsg |