api: sanitize raw markdown content (#5907)

Fixed a security issue reported by bluebird.
author: ᴜɴᴋɴᴡᴏɴ <u@gogs.io> 2020-01-27 00:18:46 +0800
committer: GitHub <noreply@github.com> 2020-01-27 00:18:46 +0800
commit: 5e6c3b9d0e9a06764079bc07c0419b1ebf9183eb (patch)
tree: b745ef368b6efdc34c508232f1ad785ae3fb8ce1 /internal/markup
parent: 0a461b829af1ff54994287505012bd07fbf3bf44 (diff)
2 files changed, 2 insertions, 3 deletions
diff --git a/internal/markup/markdown.go b/internal/markup/markdown.go
index db581a71..a5380028 100644
--- a/internal/markup/markdown.go
+++ b/internal/markup/markdown.go
@@ -157,8 +157,7 @@ func RawMarkdown(body []byte, urlPrefix string) []byte {
 		extensions |= blackfriday.EXTENSION_HARD_LINE_BREAK
 	}
 
-	body = blackfriday.Markdown(body, renderer, extensions)
-	return body
+	return blackfriday.Markdown(body, renderer, extensions)
 }
 
 // Markdown takes a string or []byte and renders to HTML in Markdown syntax with special links.
diff --git a/internal/markup/markup.go b/internal/markup/markup.go
index e09a0ba6..1a22daae 100644
--- a/internal/markup/markup.go
+++ b/internal/markup/markup.go
@@ -334,7 +334,7 @@ func Detect(filename string) Type {
 	}
 }
 
-// Render takes a string or []byte and renders to HTML in given type of syntax with special links.
+// Render takes a string or []byte and renders to sanitized HTML in given type of syntax with special links.
 func Render(typ Type, input interface{}, urlPrefix string, metas map[string]string) []byte {
 	var rawBytes []byte
 	switch v := input.(type) {
author	ᴜɴᴋɴᴡᴏɴ <u@gogs.io>	2020-01-27 00:18:46 +0800
committer	GitHub <noreply@github.com>	2020-01-27 00:18:46 +0800
commit	5e6c3b9d0e9a06764079bc07c0419b1ebf9183eb (patch)
tree	b745ef368b6efdc34c508232f1ad785ae3fb8ce1 /internal/markup
parent	0a461b829af1ff54994287505012bd07fbf3bf44 (diff)