diff options
| author | Unknwon <u@gogs.io> | 2019-10-24 01:51:46 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-10-24 01:51:46 -0700 |
| commit | 01c8df01ec0608f1f25b2f1444adabb98fa5ee8a (patch) | |
| tree | f8a7e5dd8d2a8c51e1ce2cabb9d33571a93314dd /internal/markup/sanitizer.go | |
| parent | 613139e7bef81d3573e7988a47eb6765f3de347a (diff) | |
internal: move packages under this directory (#5836)
* Rename pkg -> internal
* Rename routes -> route
* Move route -> internal/route
* Rename models -> db
* Move db -> internal/db
* Fix route2 -> route
* Move cmd -> internal/cmd
* Bump version
Diffstat (limited to 'internal/markup/sanitizer.go')
| -rw-r--r-- | internal/markup/sanitizer.go | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/internal/markup/sanitizer.go b/internal/markup/sanitizer.go new file mode 100644 index 00000000..e8d76b23 --- /dev/null +++ b/internal/markup/sanitizer.go @@ -0,0 +1,55 @@ +// Copyright 2017 The Gogs Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package markup + +import ( + "regexp" + "sync" + + "github.com/microcosm-cc/bluemonday" + + "gogs.io/gogs/internal/setting" +) + +// Sanitizer is a protection wrapper of *bluemonday.Policy which does not allow +// any modification to the underlying policies once it's been created. +type Sanitizer struct { + policy *bluemonday.Policy + init sync.Once +} + +var sanitizer = &Sanitizer{ + policy: bluemonday.UGCPolicy(), +} + +// NewSanitizer initializes sanitizer with allowed attributes based on settings. +// Multiple calls to this function will only create one instance of Sanitizer during +// entire application lifecycle. +func NewSanitizer() { + sanitizer.init.Do(func() { + // We only want to allow HighlightJS specific classes for code blocks + sanitizer.policy.AllowAttrs("class").Matching(regexp.MustCompile(`^language-\w+$`)).OnElements("code") + + // Checkboxes + sanitizer.policy.AllowAttrs("type").Matching(regexp.MustCompile(`^checkbox$`)).OnElements("input") + sanitizer.policy.AllowAttrs("checked", "disabled").OnElements("input") + + // Data URLs + sanitizer.policy.AllowURLSchemes("data") + + // Custom URL-Schemes + sanitizer.policy.AllowURLSchemes(setting.Markdown.CustomURLSchemes...) + }) +} + +// Sanitize takes a string that contains a HTML fragment or document and applies policy whitelist. +func Sanitize(s string) string { + return sanitizer.policy.Sanitize(s) +} + +// SanitizeBytes takes a []byte slice that contains a HTML fragment or document and applies policy whitelist. +func SanitizeBytes(b []byte) []byte { + return sanitizer.policy.SanitizeBytes(b) +} |