Browse Source

markdown: improve filter of class attribute for code blocks

Only allow HighlightJS specific classes.

Reported by ChALkeR.
pull/3696/merge
Unknwon 8 years ago
parent
commit
9d06ebd01a
No known key found for this signature in database
GPG Key ID: 7A02C406FAC875A2
  1. 2
      gogs.go
  2. 4
      modules/markdown/markdown.go
  3. 2
      templates/.VERSION

2
gogs.go

@ -16,7 +16,7 @@ import (
"github.com/gogits/gogs/modules/setting"
)
const APP_VER = "0.10.32.0328 / 0.11 RC"
const APP_VER = "0.10.33.0329 / 0.11 RC"
func init() {
setting.AppVer = APP_VER

4
modules/markdown/markdown.go

@ -32,8 +32,8 @@ var Sanitizer = bluemonday.UGCPolicy()
// BuildSanitizer initializes sanitizer with allowed attributes based on settings.
// This function should only be called once during entire application lifecycle.
func BuildSanitizer() {
// Normal markdown-stuff
Sanitizer.AllowAttrs("class").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).OnElements("code")
// We only want to allow HighlightJS specific classes for code blocks
Sanitizer.AllowAttrs("class").Matching(regexp.MustCompile(`^language-\w+`)).OnElements("code")
// Checkboxes
Sanitizer.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input")

2
templates/.VERSION

@ -1 +1 @@
0.10.32.0328 / 0.11 RC
0.10.33.0329 / 0.11 RC
Loading…
Cancel
Save