ipynb: sanitize rendered HTML (#5996)

* ipynb: sanitize rendered HTML Fixes #5170 * Remove hardcode URL * Add tests
author: ᴜɴᴋɴᴡᴏɴ <u@gogs.io> 2020-03-21 00:12:38 +0800
committer: GitHub <noreply@github.com> 2020-03-21 00:12:38 +0800
commit: a43fc9ad17d4337dd26b9b8d867470ca8c548b41 (patch)
tree: d72df012123e792f66824b67e9425fdb3685af52 /internal/app/api.go
parent: c69a38652da09cb10bfe31714b6b39fec3f8ede8 (diff)
1 files changed, 36 insertions, 0 deletions
diff --git a/internal/app/api.go b/internal/app/api.go
new file mode 100644
index 00000000..c64e946e
--- /dev/null
+++ b/internal/app/api.go
@@ -0,0 +1,36 @@
+// Copyright 2020 The Gogs Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package app
+
+import (
+	"net/http"
+
+	"github.com/microcosm-cc/bluemonday"
+	"gopkg.in/macaron.v1"
+
+	"gogs.io/gogs/internal/context"
+)
+
+func ipynbSanitizer() *bluemonday.Policy {
+	p := bluemonday.UGCPolicy()
+	p.AllowAttrs("class", "data-prompt-number").OnElements("div")
+	p.AllowAttrs("class").OnElements("img")
+	p.AllowURLSchemes("data")
+	return p
+}
+
+func SanitizeIpynb() macaron.Handler {
+	p := ipynbSanitizer()
+
+	return func(c *context.Context) {
+		html, err := c.Req.Body().String()
+		if err != nil {
+			c.Error(err, "read body")
+			return
+		}
+
+		c.PlainText(http.StatusOK, p.Sanitize(html))
+	}
+}
author	ᴜɴᴋɴᴡᴏɴ <u@gogs.io>	2020-03-21 00:12:38 +0800
committer	GitHub <noreply@github.com>	2020-03-21 00:12:38 +0800
commit	a43fc9ad17d4337dd26b9b8d867470ca8c548b41 (patch)
tree	d72df012123e792f66824b67e9425fdb3685af52 /internal/app/api.go
parent	c69a38652da09cb10bfe31714b6b39fec3f8ede8 (diff)