markdown: improve filter of class attribute for code blocks

Only allow HighlightJS specific classes.

Reported by ChALkeR.

3 files changed, 4 insertions, 4 deletions

diff --git a/gogs.go b/gogs.go
index cd5cc73c..2432fd81 100644
--- a/gogs.go
+++ b/gogs.go
@@ -16,7 +16,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )
 
-const APP_VER = "0.10.32.0328 / 0.11 RC"
+const APP_VER = "0.10.33.0329 / 0.11 RC"
 
 func init() {
 	setting.AppVer = APP_VER
diff --git a/modules/markdown/markdown.go b/modules/markdown/markdown.go
index 0af0d908..6101670c 100644
--- a/modules/markdown/markdown.go
+++ b/modules/markdown/markdown.go
@@ -32,8 +32,8 @@ var Sanitizer = bluemonday.UGCPolicy()
 // BuildSanitizer initializes sanitizer with allowed attributes based on settings.
 // This function should only be called once during entire application lifecycle.
 func BuildSanitizer() {
-	// Normal markdown-stuff
-	Sanitizer.AllowAttrs("class").Matching(regexp.MustCompile(`[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&]*`)).OnElements("code")
+	// We only want to allow HighlightJS specific classes for code blocks
+	Sanitizer.AllowAttrs("class").Matching(regexp.MustCompile(`^language-\w+`)).OnElements("code")
 
 	// Checkboxes
 	Sanitizer.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input")
diff --git a/templates/.VERSION b/templates/.VERSION
index b755053b..f4a81194 100644
--- a/templates/.VERSION
+++ b/templates/.VERSION
@@ -1 +1 @@
-0.10.32.0328 / 0.11 RC
\ No newline at end of file
+0.10.33.0329 / 0.11 RC
\ No newline at end of file