markdown: improve filter of class attribute for code blocks

Only allow HighlightJS specific classes. Reported by ChALkeR.
8 years ago · 9d06ebd01a
3 changed files with 4 additions and 4 deletions
--- a/gogs.go
+++ b/gogs.go
@ -16,7 +16,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
-const APP_VER = "0.10.32.0328 / 0.11 RC"
+const APP_VER = "0.10.33.0329 / 0.11 RC"
 func init() {
 	setting.AppVer = APP_VER
--- a/modules/markdown/markdown.go
+++ b/modules/markdown/markdown.go
@ -32,8 +32,8 @@ var Sanitizer = bluemonday.UGCPolicy()
 // BuildSanitizer initializes sanitizer with allowed attributes based on settings.
 // This function should only be called once during entire application lifecycle.
 func BuildSanitizer() {
-	// Normal markdown-stuff
+	// We only want to allow HighlightJS specific classes for code blocks
-	Sanitizer.AllowAttrs("class").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).OnElements("code")
+	Sanitizer.AllowAttrs("class").Matching(regexp.MustCompile(`^language-\w+`)).OnElements("code")
 	// Checkboxes
 	Sanitizer.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input")
--- a/templates/.VERSION
+++ b/templates/.VERSION
@ -1 +1 @@
-0.10.32.0328 / 0.11 RC
+0.10.33.0329 / 0.11 RC
		`@ -1 +1 @@`
			`0.10.32.0328 / 0.11 RC`				`0.10.33.0329 / 0.11 RC`